Computer Security - Discussion

207

Chap ter 8 Prin ci ples of Se cu rity Mod els, De sign, and Ca pa bil i ties

THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:

Do main 3: Se cu rity Ar chi tec ture and En gi neer ing 3.1 Im ple ment and man age en gi neer ing pro cesses us ing se cure de sign prin ci ples

3.2 Un der stand the fun da men tal con cepts of se cu rity mod els

3.3 Se lect con trols based upon sys tems se cu rity re quire ments

3.4 Un der stand se cu rity ca pa bil i ties of in for ma tion sys tems

Un der stand ing the phi los o phy be hind se cu rity so lu tions helps to limit your search for the best con trols for spe cific se cu rity needs. In this chap ter, we dis cuss se cu rity mod els, in clud ing state ma chine, Bell-La Padula, Biba, Clark-Wil son, Take-Grant, and Brewer and Nash. This chap ter also de scribes Com mon Cri te ria and other meth ods gov ern ments and cor po ra tions use to eval u ate in for ma tion sys tems from a se cu rity per spec tive, with par tic u lar em pha sis on U.S. De part ment of De fense and in ter na tional se cu rity eval u a tion cri te ria. Fi nally, we dis cuss com monly en coun tered de sign flaws and other is sues that can make in for ma tion sys tems sus cep ti ble to at tack.

The process of de ter min ing how se cure a sys tem is can be dif fi cult and time-con sum ing. In this chap ter, we de scribe the process of eval u at ing a com puter sys tem’s level of se cu rity. We be gin by in tro duc ing and ex plain ing ba sic con cepts and ter mi nol ogy used to de scribe in for ma tion sys tem se cu rity con cepts and talk about se cure com put ing, se cure perime ters, se cu rity and ac cess mon i tors, and ker nel code. We turn to se cu rity mod els to ex plain how ac cess and se cu rity con trols can be im ple mented. We also briefly ex plain how sys tem se cu rity may be cat e go rized as ei ther open or closed; de scribe a set of stan dard se cu rity tech niques used to en sure con fi den tial ity, in tegrity, and avail abil ity of data; dis cuss se cu rity con trols; and in tro duce a stan dard suite of se cure net work ing pro to cols.

Ad di tional el e ments of this do main are dis cussed in var i ous chap ters: Chap ter 6, “Cryp tog ra phy and Sym met ric Key Al go rithms,” Chap ter 7, “PKI and Cryp to graphic Ap pli ca tions,” Chap ter 9, “Se cu rity Vul ner a bil i ties, Threats, and Coun ter mea sures,” and Chap ter 10, “Phys i cal Se cu rity Re quire ments.” Please be sure to re view all of these chap ters to have a com plete per spec tive on the top ics of this do main.

Im ple ment and Man age En gi neer ing Pro cesses Us ing Se cure De sign Prin ci ples

Se cu rity should be a con sid er a tion at ev ery stage of a sys tem’s de vel op ment. Pro gram mers should strive to build se cu rity into ev ery ap pli ca tion they de velop, with greater lev els of se cu rity pro vided to crit i cal ap pli ca tions and those that process sen si tive in for ma tion. It’s ex tremely im por tant to con sider the se cu rity im pli ca tions of a de vel op ment project from the early stages be cause it’s much eas ier to build se cu rity into a sys tem than it is to add se cu rity onto an ex ist ing sys tem. The fol low ing sec tions dis cuss sev eral es sen tial se cu rity de sign prin ci ples that should be im ple mented and man aged early in the en gi neer ing process of a hard ware or soft ware project.

Ob jects and Sub jects

Con trol ling ac cess to any re source in a se cure sys tem in volves two en ti ties. The sub ject is the user or process that makes a re quest to ac cess a re source. Ac cess can mean read ing from or writ ing to a re source. The ob ject is the re source a user or process wants to ac cess. Keep in mind that the sub ject and ob ject re fer to some spe cific ac cess re quest, so the same re source can serve as a sub ject and an ob ject in dif fer ent ac cess re quests.

For ex am ple, process A may ask for data from process B. To sat isfy process A’s re quest, process B must ask for data from process C. In this ex am ple, process B is the ob ject of the first re quest and the sub ject of the sec ond re quest:

208

First re quest process A (sub ject) process B (ob ject) Sec ond re quest process B (sub ject) process C (ob ject)

This also serves as an ex am ple of tran si tive trust. Tran si tive trust is the con cept that if A trusts B and B trusts C, then A in her its trust of C through the tran si tive prop erty—which works like it would in a math e mat i cal equa tion: if a = b, and b = c, then a = c. In the pre vi ous ex am ple, when A re quests data from B and then B re quests data from C, the data that A re ceives is es sen tially from C. Tran si tive trust is a se ri ous se cu rity con cern be cause it may en able by pass ing of re stric tions or lim i ta tions be tween A and C, es pe cially if A and C both sup port in ter ac tion with B. An ex am ple of this would be when an or ga ni za tion blocks ac cess to Face book or YouTube to in crease worker pro duc tiv ity. Thus, work ers (A) do not have ac cess to cer tain in ter net sites (C). How ever, if work ers are able to ac cess to a web proxy, vir tual pri vate net work (VPN), or anonymiza tion ser vice, then this can serve as a means to by pass the lo cal net work re stric tion. In other words, if work ers (A) are ac cess ing VPN ser vice (B), and the VPN ser vice (B) can ac cess the blocked in ter net ser vice (C); then A is able to ac cess C through B via a tran si tive trust ex ploita tion.

Closed and Open Sys tems Sys tems are de signed and built ac cord ing to one of two dif fer ing philoso phies: A closed sys tem is de signed

to work well with a nar row range of other sys tems, gen er ally all from the same man u fac turer. The stan dards for closed sys tems are of ten pro pri etary and not nor mally dis closed. Open sys tems, on the other hand, are de signed us ing agreed-upon in dus try stan dards. Open sys tems are much eas ier to in te grate with sys tems from dif fer ent man u fac tur ers that sup port the same stan dards.

Closed sys tems are harder to in te grate with un like sys tems, but they can be more se cure. A closed sys tem of ten com prises pro pri etary hard ware and soft ware that does not in cor po rate in dus try stan dards. This lack of in te gra tion ease means that at tacks on many generic sys tem com po nents ei ther will not work or must be cus tom ized to be suc cess ful. In many cases, at tack ing a closed sys tem is harder than launch ing an at tack on an open sys tem. Many soft ware and hard ware com po nents with known vul ner a bil i ties may not ex ist on a closed sys tem. In ad di tion to the lack of known vul ner a ble com po nents on a closed sys tem, it is of ten nec es sary to pos sess more in-depth knowl edge of the spe cific tar get sys tem to launch a suc cess ful at tack.

Open sys tems are gen er ally far eas ier to in te grate with other open sys tems. It is easy, for ex am ple, to cre ate a lo cal area net work (LAN) with a Mi cro soft Win dows Server ma chine, a Linux ma chine, and a Mac in tosh ma chine. Al though all three com put ers use dif fer ent op er at ing sys tems and could rep re sent up to three dif fer ent hard ware ar chi tec tures, each sup ports in dus try stan dards and makes it easy for net worked (or other) com mu ni ca tions to oc cur. This ease comes at a price, how ever. Be cause stan dard com mu ni ca tions com po nents are in cor po rated into each of these three open sys tems, there are far more pre dictable en try points and meth ods for launch ing at tacks. In gen eral, their open ness makes them more vul ner a ble to at tack, and their wide spread avail abil ity makes it pos si ble for at tack ers to find (and even to prac tice on) plenty of po ten tial tar gets. Also, open sys tems are more pop u lar than closed sys tems and at tract more at ten tion. An at tacker who de vel ops ba sic at tack ing skills will find more tar gets on open sys tems than on closed ones. This larger “mar ket” of po ten tial tar gets usu ally means that there is more em pha sis on tar get ing open sys tems. Inar guably, there’s a greater body of shared ex pe ri ence and knowl edge on how to at tack open sys tems than there is for closed sys tems.

Open Source vs. Closed Source

It’s also help ful to keep in mind the dis tinc tion be tween open-source and closed-source sys tems. An open-source so lu tion is one where the source code, and other in ter nal logic, is ex posed to the pub lic. A closed-source so lu tion is one where the source code and other in ter nal logic is hid den from the pub lic. Open-source so lu tions of ten de pend on pub lic in spec tion and re view to im prove the prod uct over time. Closed-source so lu tions are more de pen dent on the ven dor/pro gram mer to re vise the prod uct over time. Both open-source and closed-source so lu tions can be avail able for sale or at no charge, but the term com mer cial typ i cally im plies closed-source. How ever, closed-source code is of ten re vealed through ei ther ven dor com pro mise or through de com pil ing. The for mer is al ways a breach of ethics and of ten the law, whereas the lat ter is a stan dard el e ment in eth i cal re verse en gi neer ing or sys tems anal y sis.

It is also the case that a closed-source pro gram can be ei ther an open sys tem or a closed sys tem, and an open-source pro gram can be ei ther an open sys tem or a closed sys tem.

Tech niques for En sur ing Con fi den tial ity, In tegrity, and Avail abil ity

To guar an tee the con fi den tial ity, in tegrity, and avail abil ity of data, you must en sure that all com po nents that have ac cess to data are se cure and well be haved. Soft ware de sign ers use dif fer ent tech niques to en sure that pro grams do only what is re quired and noth ing more. Sup pose a pro gram writes to and reads from an area of mem ory that is be ing used by an other pro gram. The first pro gram could po ten tially vi o late all three

209

se cu rity tenets: con fi den tial ity, in tegrity, and avail abil ity. If an af fected pro gram is pro cess ing sen si tive or se cret data, that data’s con fi den tial ity is no longer guar an teed. If that data is over writ ten or al tered in an un pre dictable way (a com mon prob lem when mul ti ple read ers and writ ers in ad ver tently ac cess the same shared data), there is no guar an tee of in tegrity. And, if data mod i fi ca tion re sults in cor rup tion or out right loss, it could be come un avail able for fu ture use. Al though the con cepts we dis cuss in the fol low ing sec tions all re late to soft ware pro grams, they are also com monly used in all ar eas of se cu rity. For ex am ple, phys i cal con fine ment guar an tees that all phys i cal ac cess to hard ware is con trolled.

Con fine ment

Soft ware de sign ers use process con fine ment to re strict the ac tions of a pro gram. Sim ply put, process con fine ment al lows a process to read from and write to only cer tain mem ory lo ca tions and re sources. This is also known as sand box ing. The op er at ing sys tem, or some other se cu rity com po nent, dis al lows il le gal read/write re quests. If a process at tempts to ini ti ate an ac tion be yond its granted au thor ity, that ac tion will be de nied. In ad di tion, fur ther ac tions, such as log ging the vi o la tion at tempt, may be taken. Sys tems that must com ply with higher se cu rity rat ings usu ally record all vi o la tions and re spond in some tan gi ble way. Gen er ally, the of fend ing process is ter mi nated. Con fine ment can be im ple mented in the op er at ing sys tem it self (such as through process iso la tion and mem ory pro tec tion), through the use of a con fine ment ap pli ca tion or ser vice (for ex am ple, Sand boxie at www.sand boxie.com), or through a vir tu al iza tion or hy per vi sor so lu tion (such as VMware or Or a cle’s Vir tu al Box).

Bounds

Each process that runs on a sys tem is as signed an au thor ity level. The au thor ity level tells the op er at ing sys tem what the process can do. In sim ple sys tems, there may be only two au thor ity lev els: user and ker nel. The au thor ity level tells the op er at ing sys tem how to set the bounds for a process. The bounds of a process con sist of lim its set on the mem ory ad dresses and re sources it can ac cess. The bounds state the area within which a process is con fined or con tained. In most sys tems, these bounds seg ment log i cal ar eas of mem ory for each process to use. It is the re spon si bil ity of the op er at ing sys tem to en force these log i cal bounds and to dis al low ac cess to other pro cesses. More se cure sys tems may re quire phys i cally bounded pro cesses. Phys i cal bounds re quire each bounded process to run in an area of mem ory that is phys i cally sep a rated from other bounded pro cesses, not just log i cally bounded in the same mem ory space. Phys i cally bounded mem ory can be very ex pen sive, but it’s also more se cure than log i cal bounds.

Iso la tion

When a process is con fined through en forc ing ac cess bounds, that process runs in iso la tion. Process iso la tion en sures that any be hav ior will af fect only the mem ory and re sources as so ci ated with the iso lated process. Iso la tion is used to pro tect the op er at ing en vi ron ment, the ker nel of the op er at ing sys tem (OS), and other in de pen dent ap pli ca tions. Iso la tion is an es sen tial com po nent of a sta ble op er at ing sys tem. Iso la tion is what pre vents an ap pli ca tion from ac cess ing the mem ory or re sources of an other ap pli ca tion, whether for good or ill. The op er at ing sys tem may pro vide in ter me di ary ser vices, such as cut-and-paste and re source shar ing (such as the key board, net work in ter face, and stor age de vice ac cess).

These three con cepts (con fine ment, bounds, and iso la tion) make de sign ing se cure pro grams and op er at ing sys tems more dif fi cult, but they also make it pos si ble to im ple ment more se cure sys tems.

Con trols To en sure the se cu rity of a sys tem, you need to al low sub jects to ac cess only au tho rized ob jects. A con trol

uses ac cess rules to limit the ac cess of a sub ject to an ob ject. Ac cess rules state which ob jects are valid for each sub ject. Fur ther, an ob ject might be valid for one type of ac cess and be in valid for an other type of ac cess. One com mon con trol is for file ac cess. A file can be pro tected from mod i fi ca tion by mak ing it read-only for most users but read-write for a small set of users who have the au thor ity to mod ify it.

There are both manda tory and dis cre tionary ac cess con trols, of ten called manda tory ac cess con trol (MAC) and dis cre tionary ac cess con trol (DAC), re spec tively (see Chap ter 14, “Con trol ling and Mon i tor ing Ac cess,” for an in-depth dis cus sion of ac cess con trols). With manda tory con trols, static at tributes of the sub ject and the ob ject are con sid ered to de ter mine the per mis si bil ity of an ac cess. Each sub ject pos sesses at tributes that de fine its clear ance, or au thor ity, to ac cess re sources. Each ob ject pos sesses at tributes that de fine its clas si fi ca tion. Dif fer ent types of se cu rity meth ods clas sify re sources in dif fer ent ways. For ex am ple, sub ject A is granted ac cess to ob ject B if the se cu rity sys tem can find a rule that al lows a sub ject with sub ject A’s clear ance to ac cess an ob ject with ob ject B’s clas si fi ca tion.

Dis cre tionary con trols dif fer from manda tory con trols in that the sub ject has some abil ity to de fine the ob jects to ac cess. Within lim its, dis cre tionary ac cess con trols al low the sub ject to de fine a list of ob jects to ac cess as needed. This ac cess con trol list serves as a dy namic ac cess rule set that the sub ject can mod ify. The con straints im posed on the mod i fi ca tions of ten re late to the sub ject’s iden tity. Based on the iden tity, the sub ject may be al lowed to add or mod ify the rules that de fine ac cess to ob jects.

210

Both manda tory and dis cre tionary ac cess con trols limit the ac cess to ob jects by sub jects. The pri mary goal of con trols is to en sure the con fi den tial ity and in tegrity of data by dis al low ing unau tho rized ac cess by au tho rized or unau tho rized sub jects.

Trust and As sur ance Proper se cu rity con cepts, con trols, and mech a nisms must be in te grated be fore and dur ing the de sign and

ar chi tec tural pe riod in or der to pro duce a re li ably se cure prod uct. Se cu rity is sues should not be added on as an af ter thought; this causes over sights, in creased costs, and less re li a bil ity. Once se cu rity is in te grated into the de sign, it must be en gi neered, im ple mented, tested, au dited, eval u ated, cer ti fied, and fi nally ac cred ited.

A trusted sys tem is one in which all pro tec tion mech a nisms work to gether to process sen si tive data for many types of users while main tain ing a sta ble and se cure com put ing en vi ron ment. As sur ance is sim ply de fined as the de gree of con fi dence in sat is fac tion of se cu rity needs. As sur ance must be con tin u ally main tained, up dated, and rever i fied. This is true if the trusted sys tem ex pe ri ences a known change or if a sig nif i cant amount of time has passed. In ei ther case, change has oc curred at some level. Change is of ten the an tithe sis of se cu rity; it of ten di min ishes se cu rity. So, when ever change oc curs, the sys tem needs to be reeval u ated to ver ify that the level of se cu rity it pro vided pre vi ously is still in tact. As sur ance varies from one sys tem to an other and must be es tab lished on in di vid ual sys tems. How ever, there are grades or lev els of as sur ance that can be placed across nu mer ous sys tems of the same type, sys tems that sup port the same ser vices, or sys tems that are de ployed in the same ge o graphic lo ca tion. Thus, trust can be built into a sys tem by im ple ment ing spe cific se cu rity fea tures, whereas as sur ance is an as sess ment of the re li a bil ity and us abil ity of those se cu rity fea tures in a real-world sit u a tion.

Un der stand the Fun da men tal Con cepts of Se cu rity Mod els In in for ma tion se cu rity, mod els pro vide a way to for mal ize se cu rity poli cies. Such mod els can be ab stract

or in tu itive (some are de cid edly math e mat i cal), but all are in tended to pro vide an ex plicit set of rules that a com puter can fol low to im ple ment the fun da men tal se cu rity con cepts, pro cesses, and pro ce dures that make up a se cu rity pol icy. These mod els of fer a way to deepen your un der stand ing of how a com puter op er at ing sys tem should be de signed and de vel oped to sup port a spe cific se cu rity pol icy.

A se cu rity model pro vides a way for de sign ers to map ab stract state ments into a se cu rity pol icy that pre scribes the al go rithms and data struc tures nec es sary to build hard ware and soft ware. Thus, a se cu rity model gives soft ware de sign ers some thing against which to mea sure their de sign and im ple men ta tion. That model, of course, must sup port each part of the se cu rity pol icy. In this way, de vel op ers can be sure their se cu rity im ple men ta tion sup ports the se cu rity pol icy.

To kens, Ca pa bil i ties, and La bels

Sev eral dif fer ent meth ods are used to de scribe the nec es sary se cu rity at tributes for an ob ject. A se cu rity to ken is a sep a rate ob ject that is as so ci ated with a re source and de scribes its se cu rity at tributes. This to ken can com mu ni cate se cu rity in for ma tion about an ob ject prior to re quest ing ac cess to the ac tual ob ject. In other im ple men ta tions, var i ous lists are used to store se cu rity in for ma tion about mul ti ple ob jects. A ca pa bil i ties list main tains a row of se cu rity at tributes for each con trolled ob ject. Al though not as flex i ble as the to ken ap proach, ca pa bil i ties lists gen er ally of fer quicker lookups when a sub ject re quests ac cess to an ob ject. A third com mon type of at tribute stor age is called a se cu rity la bel, which is gen er ally a per ma nent part of the ob ject to which it’s at tached. Once a se cu rity la bel is set, it usu ally can not be al tered. This per ma nence pro vides an other safe guard against tam per ing that nei ther to kens nor ca pa bil i ties lists pro vide.

You’ll ex plore sev eral se cu rity mod els in the fol low ing sec tions; all of them can shed light on how se cu rity en ters into com puter ar chi tec tures and op er at ing sys tem de sign:

Trusted com put ing base

State ma chine model

In for ma tion flow model

Non in ter fer ence model

Take-Grant model

Ac cess con trol ma trix

Bell-La Padula model

Biba model

211

Clark-Wil son model

Brewer and Nash model (also known as Chi nese Wall)

Goguen-Meseguer model

Suther land model

Gra ham-Den ning model

Al though no sys tem can be to tally se cure, it is pos si ble to de sign and build rea son ably se cure sys tems. In fact, if a se cured sys tem com plies with a spe cific set of se cu rity cri te ria, it can be said to ex hibit a level of trust. There fore, trust can be built into a sys tem and then eval u ated, cer ti fied, and ac cred ited. But be fore we can dis cuss each se cu rity model, we have to es tab lish a foun da tion on which most se cu rity mod els are built. This foun da tion is the trusted com put ing base.

Trusted Com put ing Base An old U.S. De part ment of De fense stan dard known col lo qui ally as the Or ange Book/Trusted Com puter

Sys tem Eval u a tion Cri te ria (TC SEC) (DoD Stan dard 5200.28, cov ered in more de tail later in this chap ter in the sec tion “Rain bow Se ries”) de scribes a trusted com put ing base (TCB) as a com bi na tion of hard ware, soft ware, and con trols that work to gether to form a trusted base to en force your se cu rity pol icy. The TCB is a sub set of a com plete in for ma tion sys tem. It should be as small as pos si ble so that a de tailed anal y sis can rea son ably en sure that the sys tem meets de sign spec i fi ca tions and re quire ments. The TCB is the only por tion of that sys tem that can be trusted to ad here to and en force the se cu rity pol icy. It is not nec es sary that ev ery com po nent of a sys tem be trusted. But any time you con sider a sys tem from a se cu rity stand point, your eval u a tion should in clude all trusted com po nents that de fine that sys tem’s TCB.

In gen eral, TCB com po nents in a sys tem are re spon si ble for con trol ling ac cess to the sys tem. The TCB must pro vide meth ods to ac cess re sources both in side and out side the TCB it self. TCB com po nents com monly re strict the ac tiv i ties of com po nents out side the TCB. It is the re spon si bil ity of TCB com po nents to en sure that a sys tem be haves prop erly in all cases and that it ad heres to the se cu rity pol icy un der all cir cum stances.

Se cu rity Perime ter

The se cu rity perime ter of your sys tem is an imag i nary bound ary that sep a rates the TCB from the rest of the sys tem (Fig ure 8.1). This bound ary en sures that no in se cure com mu ni ca tions or in ter ac tions oc cur be tween the TCB and the re main ing el e ments of the com puter sys tem. For the TCB to com mu ni cate with the rest of the sys tem, it must cre ate se cure chan nels, also called trusted paths. A trusted path is a chan nel es tab lished with strict stan dards to al low nec es sary com mu ni ca tion to oc cur with out ex pos ing the TCB to se cu rity vul ner a bil i ties. A trusted path also pro tects sys tem users (some times known as sub jects) from com pro mise as a re sult of a TCB in ter change. As you learn more about for mal se cu rity guide lines and eval u a tion cri te ria later in this chap ter, you’ll also learn that trusted paths are re quired in sys tems that seek to de liver high lev els of se cu rity to their users. Ac cord ing to the TC SEC guide lines, trusted paths are re quired for high-trust-level sys tems such as those at level B2 or higher of TC SEC.

212

FIG URE 8.1 The TCB, se cu rity perime ter, and ref er ence mon i tor

Ref er ence Mon i tors and Ker nels

When the time comes to im ple ment a se cure sys tem, it’s es sen tial to de velop some part of the TCB to en force ac cess con trols on sys tem as sets and re sources (some times known as ob jects). The part of the TCB that val i dates ac cess to ev ery re source prior to grant ing ac cess re quests is called the ref er ence mon i tor (Fig ure 8.1). The ref er ence mon i tor stands be tween ev ery sub ject and ob ject, ver i fy ing that a re quest ing sub ject’s cre den tials meet the ob ject’s ac cess re quire ments be fore any re quests are al lowed to pro ceed. If such ac cess re quire ments aren’t met, ac cess re quests are turned down. Ef fec tively, the ref er ence mon i tor is the ac cess con trol en forcer for the TCB. Thus, au tho rized and se cured ac tions and ac tiv i ties are al lowed to oc cur, whereas unau tho rized and in se cure ac tiv i ties and ac tions are de nied and blocked from oc cur ring. The ref er ence mon i tor en forces ac cess con trol or au tho riza tion based on the de sired se cu rity model, whether Dis cre tionary, Manda tory, Role Based, or some other form of ac cess con trol. The ref er ence mon i tor may be a con cep tual part of the TCB; it doesn’t need to be an ac tual, stand-alone, or in de pen dent work ing sys tem com po nent.

The col lec tion of com po nents in the TCB that work to gether to im ple ment ref er ence mon i tor func tions is called the se cu rity ker nel. The ref er ence mon i tor is a con cept or the ory that is put into prac tice via the im ple men ta tion of a se cu rity ker nel in soft ware and hard ware. The pur pose of the se cu rity ker nel is to launch ap pro pri ate com po nents to en force ref er ence mon i tor func tion al ity and re sist all known at tacks. The se cu rity ker nel uses a trusted path to com mu ni cate with sub jects. It also me di ates all re source ac cess re quests, grant ing only those re quests that match the ap pro pri ate ac cess rules in use for a sys tem.

The ref er ence mon i tor re quires de scrip tive in for ma tion about each re source that it pro tects. Such in for ma tion nor mally in cludes its clas si fi ca tion and des ig na tion. When a sub ject re quests ac cess to an ob ject, the ref er ence mon i tor con sults the ob ject’s de scrip tive in for ma tion to dis cern whether ac cess should be granted or de nied (see the side bar “To kens, Ca pa bil i ties, and La bels” for more in for ma tion on how this works).

State Ma chine Model The state ma chine model de scribes a sys tem that is al ways se cure no mat ter what state it is in. It’s based

on the com puter sci ence def i ni tion of a fi nite state ma chine (FSM). An FSM com bines an ex ter nal in put with an in ter nal ma chine state to model all kinds of com plex sys tems, in clud ing parsers, de coders, and in ter preters. Given an in put and a state, an FSM tran si tions to an other state and may cre ate an out put. Math e mat i cally, the next state is a func tion of the cur rent state and the in put next state; that is, the next state = F(in put, cur rent state). Like wise, the out put is also a func tion of the in put and the cur rent state out put; that is, the out put = F(in put, cur rent state).

Many se cu rity mod els are based on the se cure state con cept. Ac cord ing to the state ma chine model, a state is a snap shot of a sys tem at a spe cific mo ment in time. If all as pects of a state meet the re quire ments of the se cu rity pol icy, that state is con sid ered se cure. A tran si tion oc curs when ac cept ing in put or pro duc ing out put.

213

A tran si tion al ways re sults in a new state (also called a state tran si tion). All state tran si tions must be eval u ated. If each pos si ble state tran si tion re sults in an other se cure state, the sys tem can be called a se cure state ma chine. A se cure state ma chine model sys tem al ways boots into a se cure state, main tains a se cure state across all tran si tions, and al lows sub jects to ac cess re sources only in a se cure man ner com pli ant with the se cu rity pol icy. The se cure state ma chine model is the ba sis for many other se cu rity mod els.

In for ma tion Flow Model The in for ma tion flow model fo cuses on the flow of in for ma tion. In for ma tion flow mod els are based on a

state ma chine model. The Bell-La Padula and Biba mod els, which we will dis cuss in de tail later in this chap ter, are both in for ma tion flow mod els. Bell-La Padula is con cerned with pre vent ing in for ma tion flow from a high se cu rity level to a low se cu rity level. Biba is con cerned with pre vent ing in for ma tion flow from a low se cu rity level to a high se cu rity level. In for ma tion flow mod els don’t nec es sar ily deal with only the di rec tion of in for ma tion flow; they can also ad dress the type of flow.

In for ma tion flow mod els are de signed to pre vent unau tho rized, in se cure, or re stricted in for ma tion flow, of ten be tween dif fer ent lev els of se cu rity (these are of ten re ferred to as mul ti level mod els). In for ma tion flow can be be tween sub jects and ob jects at the same clas si fi ca tion level as well as be tween sub jects and ob jects at dif fer ent clas si fi ca tion lev els. An in for ma tion flow model al lows all au tho rized in for ma tion flows, whether within the same clas si fi ca tion level or be tween clas si fi ca tion lev els. It pre vents all unau tho rized in for ma tion flows, whether within the same clas si fi ca tion level or be tween clas si fi ca tion lev els.

An other in ter est ing per spec tive on the in for ma tion flow model is that it is used to es tab lish a re la tion ship be tween two ver sions or states of the same ob ject when those two ver sions or states ex ist at dif fer ent points in time. Thus, in for ma tion flow dic tates the trans for ma tion of an ob ject from one state at one point in time to an other state at an other point in time. The in for ma tion flow model also ad dresses covert chan nels by specif i cally ex clud ing all non de fined flow path ways.

Non in ter fer ence Model

The non in ter fer ence model is loosely based on the in for ma tion flow model. How ever, in stead of be ing con cerned about the flow of in for ma tion, the non in ter fer ence model is con cerned with how the ac tions of a sub ject at a higher se cu rity level af fect the sys tem state or the ac tions of a sub ject at a lower se cu rity level. Ba si cally, the ac tions of sub ject A (high) should not af fect the ac tions of sub ject B (low) or even be no ticed by sub ject B. The real con cern is to pre vent the ac tions of sub ject A at a high level of se cu rity clas si fi ca tion from af fect ing the sys tem state at a lower level. If this oc curs, sub ject B may be placed into an in se cure state or be able to de duce or in fer in for ma tion about a higher level of clas si fi ca tion. This is a type of in for ma tion leak age and im plic itly cre ates a covert chan nel. Thus, the non in ter fer ence model can be im posed to pro vide a form of pro tec tion against dam age caused by ma li cious pro grams such as Tro jan horses.

 Com po si tion The o ries

Some other mod els that fall into the in for ma tion flow cat e gory build on the no tion of how in puts and out puts be tween mul ti ple sys tems re late to one an other—which fol lows how in for ma tion flows be tween sys tems rather than within an in di vid ual sys tem. These are called com po si tion the o ries be cause they ex plain how out puts from one sys tem re late to in puts to an other sys tem. There are three rec og nized types of com po si tion the o ries:

Cas cad ing: In put for one sys tem comes from the out put of an other sys tem.

Feed back: One sys tem pro vides in put to an other sys tem, which re cip ro cates by re vers ing those roles (so that sys tem A first pro vides in put for sys tem B and then sys tem B pro vides in put to sys tem A).

Hookup: One sys tem sends in put to an other sys tem but also sends in put to ex ter nal en ti ties.

Take-Grant Model The Take-Grant model em ploys a di rected graph (Fig ure 8.2) to dic tate how rights can be passed from one

sub ject to an other or from a sub ject to an ob ject. Sim ply put, a sub ject with the grant right can grant an other sub ject or an other ob ject any other right they pos sess. Like wise, a sub ject with the take right can take a right from an other sub ject. In ad di tion to these two pri mary rules, the Take-Grant model may adopt a cre ate rule and a re move rule to gen er ate or delete rights. The key to this model is that us ing these rules al lows you to fig ure out when rights in the sys tem can change and where leak age (that is, un in ten tional dis tri bu tion of per mis sions) can oc cur.

214

FIG URE 8.2 The Take-Grant model’s di rected graph

Take rule Al lows a sub ject to take rights over an ob ject Grant rule Al lows a sub ject to grant rights to an ob ject Cre ate rule Al lows a sub ject to cre ate new rights Re move rule Al lows a sub ject to re move rights it has

Ac cess Con trol Ma trix

An ac cess con trol ma trix is a ta ble of sub jects and ob jects that in di cates the ac tions or func tions that each sub ject can per form on each ob ject. Each col umn of the ma trix is an ac cess con trol list (ACL). Each row of the ma trix is a ca pa bil i ties list. An ACL is tied to the ob ject; it lists valid ac tions each sub ject can per form. A ca pa bil ity list is tied to the sub ject; it lists valid ac tions that can be taken on each ob ject. From an ad min is tra tion per spec tive, us ing only ca pa bil ity lists for ac cess con trol is a man age ment night mare. A ca pa bil ity list method of ac cess con trol can be ac com plished by stor ing on each sub ject a list of rights the sub ject has for ev ery ob ject. This ef fec tively gives each user a key ring of ac cesses and rights to ob jects within the se cu rity do main. To re move ac cess to a par tic u lar ob ject, ev ery user (sub ject) that has ac cess to it must be in di vid u ally ma nip u lated. Thus, man ag ing ac cess on each user ac count is much more dif fi cult than man ag ing ac cess on each ob ject (in other words, via ACLs).

Im ple ment ing an ac cess con trol ma trix model usu ally in volves the fol low ing:

Con struct ing an en vi ron ment that can cre ate and man age lists of sub jects and ob jects

Craft ing a func tion that can re turn the type as so ci ated with what ever ob ject is sup plied to that func tion as in put (this is im por tant be cause an ob ject’s type de ter mines what kind of op er a tions may be ap plied to it)

The ac cess con trol ma trix shown in Ta ble 8.1 is for a dis cre tionary ac cess con trol sys tem. A manda tory or rule-based ma trix can be con structed sim ply by re plac ing the sub ject names with clas si fi ca tions or roles. Ac cess con trol ma trixes are used by sys tems to quickly de ter mine whether the re quested ac tion by a sub ject for an ob ject is au tho rized.

TA BLE 8.1 An ac cess con trol ma trix

Sub jects Doc u ment file Printer Net work folder share Bob Read No Ac cess No Ac cess Mary No Ac cess No Ac cess Read Amanda Read, Write Print No Ac cess Mark Read, Write Print Read, Write Kathryn Read, Write Print, Man age Print Queue Read, Write, Ex e cute Colin Read, Write, Change

Per mis sions Print, Man age Print Queue, Change Per mis sions

Read, Write, Ex e cute, Change Per mis sions

Bell-La Padula Model

215

The U.S. De part ment of De fense (DoD) de vel oped the Bell-La Padula model in the 1970s to ad dress con cerns about pro tect ing clas si fied in for ma tion. The DoD man ages mul ti ple lev els of clas si fied re sources, and the Bell-La Padula mul ti level model was de rived from the DoD’s mul ti level se cu rity poli cies. The clas si fi ca tions the DoD uses are nu mer ous; how ever, dis cus sions of clas si fi ca tions within the CISSP Com mon Body of Knowl edge (CBK) are usu ally lim ited to un clas si fied, sen si tive but un clas si fied, con fi den tial, se cret, and top se cret. The mul ti level se cu rity pol icy states that a sub ject with any level of clear ance can ac cess re sources at or be low its clear ance level. How ever, within the higher clear ance lev els, ac cess is granted only on a need-to-know ba sis. In other words, ac cess to a spe cific ob ject is granted to the clas si fied lev els only if a spe cific work task re quires such ac cess. For ex am ple, any per son with a se cret se cu rity clear ance can ac cess se cret, con fi den tial, sen si tive but un clas si fied, and un clas si fied doc u ments but not top-se cret doc u ments. Also, to ac cess a doc u ment within the se cret level, the per son seek ing ac cess must also have a need to know for that doc u ment.

By de sign, the Bell-La Padula model pre vents the leak ing or trans fer of clas si fied in for ma tion to less se cure clear ance lev els. This is ac com plished by block ing lower-clas si fied sub jects from ac cess ing higher-clas si fied ob jects. With these re stric tions, the Bell-La Padula model is fo cused on main tain ing the con fi den tial ity of ob jects. Thus, the com plex i ties in volved in en sur ing the con fi den tial ity of doc u ments are ad dressed in the Bell-La Padula model. How ever, Bell-La Padula does not ad dress the as pects of in tegrity or avail abil ity for ob jects. Bell-La Padula is also the first math e mat i cal model of a mul ti level se cu rity pol icy.

 Lat tice-Based Ac cess Con trol

This gen eral cat e gory for nondis cre tionary ac cess con trols is cov ered in Chap ter 13, “Man ag ing Iden tity and Au then ti ca tion.” Here’s a quick pre view on that more de tailed cov er age of this sub ject (which drives the un der pin nings for most ac cess con trol se cu rity mod els): Sub jects un der lat tice-based ac cess con trols are as signed po si tions in a lat tice. These po si tions fall be tween de fined se cu rity la bels or clas si fi ca tions. Sub jects can ac cess only those ob jects that fall into the range be tween the least up per bound (the near est se cu rity la bel or clas si fi ca tion higher than their lat tice po si tion) and the high est lower bound (the near est se cu rity la bel or clas si fi ca tion lower than their lat tice po si tion) of the la bels or clas si fi ca tions for their lat tice po si tion. Thus, a sub ject that falls be tween the pri vate and sen si tive la bels in a com mer cial scheme that reads bot tom up as pub lic, sen si tive, pri vate, pro pri etary, and con fi den tial can ac cess only pub lic and sen si tive data but not pri vate, pro pri etary, or con fi den tial data. Lat tice-based ac cess con trols also fit into the gen eral cat e gory of in for ma tion flow mod els and deal pri mar ily with con fi den tial ity (that’s the rea son for the con nec tion to Bell-La Padula).

This model is built on a state ma chine con cept and the in for ma tion flow model. It also em ploys manda tory ac cess con trols and the lat tice con cept. The lat tice tiers are the clas si fi ca tion lev els used by the se cu rity pol icy of the or ga ni za tion. The state ma chine sup ports mul ti ple states with ex plicit tran si tions be tween any two states; this con cept is used be cause the cor rect ness of the ma chine, and guar an tees of doc u ment con fi den tial ity, can be proven math e mat i cally. There are three ba sic prop er ties of this state ma chine:

The Sim ple Se cu rity Prop erty states that a sub ject may not read in for ma tion at a higher sen si tiv ity level (no read up).

The * (star) Se cu rity Prop erty states that a sub ject may not write in for ma tion to an ob ject at a lower sen si tiv ity level (no write down). This is also known as the Con fine ment Prop erty.

The Dis cre tionary Se cu rity Prop erty states that the sys tem uses an ac cess ma trix to en force dis cre tionary ac cess con trol.

These first two prop er ties de fine the states into which the sys tem can tran si tion. No other tran si tions are al lowed. All states ac ces si ble through these two rules are se cure states. Thus, Bell-La Padula–mod eled sys tems of fer state ma chine model se cu rity (see Fig ure 8.3).

216

FIG URE 8.3 The Bell-La Padula model

The Bell-La Padula prop er ties are in place to pro tect data con fi den tial ity. A sub ject can not read an ob ject that is clas si fied at a higher level than the sub ject is cleared for. Be cause ob jects at one level have data that is more sen si tive or se cret than data in ob jects at a lower level, a sub ject (who is not a trusted sub ject) can not write data from one level to an ob ject at a lower level. That ac tion would be sim i lar to past ing a top-se cret memo into an un clas si fied doc u ment file. The third prop erty en forces a sub ject’s need to know in or der to ac cess an ob ject.

An ex cep tion in the Bell-La Padula model states that a “trusted sub ject” is not con strained

by the * Se cu rity Prop erty. A trusted sub ject is de fined as “a sub ject that is guar an teed not to con sum mate a se cu rity-breach ing in for ma tion trans fer even if it is pos si ble.” This means that a trusted sub ject is al lowed to vi o late the * Se cu rity Prop erty and per form a write-down, which is nec es sary when per form ing valid ob ject de clas si fi ca tion or re clas si fi ca tion.

The Bell-La Padula model ad dresses only the con fi den tial ity of data. It does not ad dress its in tegrity or avail abil ity. Be cause it was de signed in the 1970s, it does not sup port many op er a tions that are com mon to day, such as file shar ing and net work ing. It also as sumes se cure tran si tions be tween se cu rity lay ers and does not ad dress covert chan nels (cov ered in Chap ter 9, “Se cu rity Vul ner a bil i ties, Threats, and Coun ter mea sures”). Bell-La Padula does han dle con fi den tial ity well, so it is of ten used in com bi na tion with other mod els that pro vide mech a nisms to han dle in tegrity and avail abil ity.

Biba Model

For some non mil i tary or ga ni za tions, in tegrity is more im por tant than con fi den tial ity. Out of this need, sev eral in tegrity-fo cused se cu rity mod els were de vel oped, such as those de vel oped by Biba and by Clark- Wil son. The Biba model was de signed af ter the Bell-La Padula model. Where the Bell-La Padula model ad dresses con fi den tial ity, the Biba model ad dresses in tegrity. The Biba model is also built on a state ma chine con cept, is based on in for ma tion flow, and is a mul ti level model. In fact, Biba ap pears to be pretty sim i lar to the Bell-La Padula model, ex cept in verted. Both use states and tran si tions. Both have ba sic prop er ties. The big gest dif fer ence is their pri mary fo cus: Biba pri mar ily pro tects data in tegrity. Here are the ba sic prop er ties or ax ioms of the Biba model state ma chine:

The Sim ple In tegrity Prop erty states that a sub ject can not read an ob ject at a lower in tegrity level (no read-down).

The * (star) In tegrity Prop erty states that a sub ject can not mod ify an ob ject at a higher in tegrity level (no write-up).

In both the Biba and Bell-La Padula mod els, there are two prop er ties that are in verses of

each other: sim ple and * (star). How ever, they may also be la beled as ax ioms, prin ci ples, or rules. What you should fo cus on is the sim ple and star des ig na tions. Take note that sim ple is al ways about read ing, and star is al ways about writ ing. Also, in both cases, sim ple and star are rules that de fine what can not or should not be done. In most cases, what is not pre vented or dis al lowed is sup ported or al lowed.

Fig ure 8.4 il lus trates these Biba model ax ioms.

217

FIG URE 8.4 The Biba model

When you com pare Biba to Bell-La Padula, you will no tice that they look like they are op po sites. That’s be cause they fo cus on dif fer ent ar eas of se cu rity. Where the Bell-La Padula model en sures data con fi den tial ity, Biba en sures data in tegrity.

Biba was de signed to ad dress three in tegrity is sues:

Pre vent mod i fi ca tion of ob jects by unau tho rized sub jects.

Pre vent unau tho rized mod i fi ca tion of ob jects by au tho rized sub jects.

Pro tect in ter nal and ex ter nal ob ject con sis tency.

As with Bell-La Padula, Biba re quires that all sub jects and ob jects have a clas si fi ca tion la bel. Thus, data in tegrity pro tec tion is de pen dent on data clas si fi ca tion.

Con sider the Biba prop er ties. The sec ond prop erty of the Biba model is pretty straight for ward. A sub ject can not write to an ob ject at a higher in tegrity level. That makes sense. What about the first prop erty? Why can’t a sub ject read an ob ject at a lower in tegrity level? The an swer takes a lit tle thought. Think of in tegrity lev els as be ing like the pu rity level of air. You would not want to pump air from the smok ing sec tion into the clean room en vi ron ment. The same ap plies to data. When in tegrity is im por tant, you do not want un val i dated data read into val i dated doc u ments. The po ten tial for data con tam i na tion is too great to per mit such ac cess.

Cri tiques of the Biba model re veal a few draw backs:

It ad dresses only in tegrity, not con fi den tial ity or avail abil ity.

It fo cuses on pro tect ing ob jects from ex ter nal threats; it as sumes that in ter nal threats are han dled pro gram mat i cally.

It does not ad dress ac cess con trol man age ment, and it doesn’t pro vide a way to as sign or change an ob ject’s or sub ject’s clas si fi ca tion level.

It does not pre vent covert chan nels.

Be cause the Biba model fo cuses on data in tegrity, it is a more com mon choice for com mer cial se cu rity mod els than the Bell-La Padula model. Some com mer cial or ga ni za tions are more con cerned with the in tegrity of their data than its con fi den tial ity. Com mer cial or ga ni za tions that are more fo cused on in tegrity than con fi den tial ity may choose to im ple ment the Biba model, but most or ga ni za tions re quire a bal ance be tween both con fi den tial ity and in tegrity, re quir ing them to im ple ment a more com plex so lu tion than ei ther model by it self.

Clark-Wil son Model

Al though the Biba model works in com mer cial ap pli ca tions, an other model was de signed in 1987 specif i cally for the com mer cial en vi ron ment. The Clark-Wil son model uses a mul ti fac eted ap proach to en forc ing data in tegrity. In stead of defin ing a for mal state ma chine, the Clark-Wil son model de fines each data item and al lows mod i fi ca tions through only a small set of pro grams.

The Clark-Wil son model does not re quire the use of a lat tice struc ture; rather, it uses a three-part re la tion ship of sub ject/pro gram/ob ject (or sub ject/trans ac tion/ob ject) known as a triple or an ac cess con trol triple. Sub jects do not have di rect ac cess to ob jects. Ob jects can be ac cessed only through pro grams. Through the use of two prin ci ples—well-formed trans ac tions and sep a ra tion of du ties—the Clark-Wil son model pro vides an ef fec tive means to pro tect in tegrity.

Well-formed trans ac tions take the form of pro grams. A sub ject is able to ac cess ob jects only by us ing a pro gram, in ter face, or ac cess por tal (Fig ure 8.5). Each pro gram has spe cific lim i ta tions on what it can and can not do to an ob ject (such as a data base or other re source). This ef fec tively lim its the sub ject’s ca pa bil i ties.

218

This is known as a con strained in ter face. If the pro grams are prop erly de signed, then the triple re la tion ship pro vides a means to pro tect the in tegrity of the ob ject.

FIG URE 8.5 The Clark-Wil son model

Clark-Wil son de fines the fol low ing items and pro ce dures:

A con strained data item (CDI) is any data item whose in tegrity is pro tected by the se cu rity model.

An un con strained data item (UDI) is any data item that is not con trolled by the se cu rity model. Any data that is to be in put and hasn’t been val i dated, or any out put, would be con sid ered an un con strained data item.

An in tegrity ver i fi ca tion pro ce dure (IVP) is a pro ce dure that scans data items and con firms their in tegrity.

Trans for ma tion pro ce dures (TPs) are the only pro ce dures that are al lowed to mod ify a CDI. The lim ited ac cess to CDIs through TPs forms the back bone of the Clark-Wil son in tegrity model.

The Clark-Wil son model uses se cu rity la bels to grant ac cess to ob jects, but only through trans for ma tion pro ce dures and a re stricted in ter face model. A re stricted in ter face model uses clas si fi ca tion-based re stric tions to of fer only sub ject-spe cific au tho rized in for ma tion and func tions. One sub ject at one clas si fi ca tion level will see one set of data and have ac cess to one set of func tions, whereas an other sub ject at a dif fer ent clas si fi ca tion level will see a dif fer ent set of data and have ac cess to a dif fer ent set of func tions. The dif fer ent func tions made avail able to dif fer ent lev els or classes of users may be im ple mented by ei ther show ing all func tions to all users but dis abling those that are not au tho rized for a spe cific user or by show ing only those func tions granted to a spe cific user. Through these mech a nisms, the Clark-Wil son model en sures that data is pro tected from unau tho rized changes from any user. In ef fect, the Clark-Wil son model en forces sep a ra tion of du ties. The Clark-Wil son de sign makes it a com mon model for com mer cial ap pli ca tions.

Brewer and Nash Model (aka Chi nese Wall) The Brewer and Nash model was cre ated to per mit ac cess con trols to change dy nam i cally based on a

user’s pre vi ous ac tiv ity (mak ing it a kind of state ma chine model as well). This model ap plies to a sin gle in te grated data base; it seeks to cre ate se cu rity do mains that are sen si tive to the no tion of con flict of in ter est (for ex am ple, some one who works at Com pany C who has ac cess to pro pri etary data for Com pany A should not also be al lowed ac cess to sim i lar data for Com pany B if those two com pa nies com pete with each other). This model is known as the Chi nese Wall model be cause it cre ates a class of data that de fines which se cu rity do mains are po ten tially in con flict and pre vents any sub ject with ac cess to one do main that be longs to a spe cific con flict class from ac cess ing any other do main that be longs to the same con flict class. Metaphor i cally, this puts a wall around all other in for ma tion in any con flict class. Thus, this model also uses the prin ci ple of data iso la tion within each con flict class to keep users out of po ten tial con flict-of-in ter est sit u a tions (for ex am ple, man age ment of com pany datasets). Be cause com pany re la tion ships change all the time, dy namic up dates to mem bers of and def i ni tions for con flict classes are im por tant.

An other way of look ing at or think ing of the Brewer and Nash model is of an ad min is tra tor hav ing full con trol ac cess to a wide range of data in a sys tem based on their as signed job re spon si bil i ties and work tasks. How ever, at the mo ment an ac tion is taken against any data item, the ad min is tra tor’s ac cess to any con flict ing data items is tem po rar ily blocked. Only data items that re late to the ini tial data item can be ac cessed dur ing the op er a tion. Once the task is com pleted, the ad min is tra tor’s ac cess re turns to full con trol.

Goguen-Meseguer Model The Goguen-Meseguer model is an in tegrity model, al though not as well known as Biba and the oth ers. In

fact, this model is said to be the foun da tion of non in ter fer ence con cep tual the o ries. Of ten when some one refers to a non in ter fer ence model, they are ac tu ally re fer ring to the Goguen-Meseguer model.

The Goguen-Meseguer model is based on pre de ter min ing the set or do main—a list of ob jects that a sub ject can ac cess. This model is based on au to ma tion the ory and do main sep a ra tion. This means sub jects are al lowed only to per form pre de ter mined ac tions against pre de ter mined ob jects. When sim i lar users are

219

grouped into their own do main (that is, col lec tive), the mem bers of one sub ject do main can not in ter fere with the mem bers of an other sub ject do main. Thus, sub jects are un able to in ter fere with each other’s ac tiv i ties.

Suther land Model The Suther land model is an in tegrity model. It fo cuses on pre vent ing in ter fer ence in sup port of in tegrity.

It is for mally based on the state ma chine model and the in for ma tion flow model. How ever, it does not di rectly in di cate spe cific mech a nisms for pro tec tion of in tegrity. In stead, the model is based on the idea of defin ing a set of sys tem states, ini tial states, and state tran si tions. Through the use of only these pre de ter mined se cure states, in tegrity is main tained and in ter fer ence is pro hib ited.

A com mon ex am ple of the Suther land model is its use to pre vent a covert chan nel from be ing used to in flu ence the out come of a process or ac tiv ity. (For a dis cus sion of covert chan nels, see Chap ter 9.)

Gra ham-Den ning Model

The Gra ham-Den ning model is fo cused on the se cure cre ation and dele tion of both sub jects and ob jects. Gra ham-Den ning is a col lec tion of eight pri mary pro tec tion rules or ac tions that de fine the bound aries of cer tain se cure ac tions:

Se curely cre ate an ob ject.

Se curely cre ate a sub ject.

Se curely delete an ob ject.

Se curely delete a sub ject.

Se curely pro vide the read ac cess right.

Se curely pro vide the grant ac cess right.

Se curely pro vide the delete ac cess right.

Se curely pro vide the trans fer ac cess right.

Usu ally the spe cific abil i ties or per mis sions of a sub ject over a set of ob jects is de fined in an ac cess ma trix (aka ac cess con trol ma trix).

Se lect Con trols Based On Sys tems Se cu rity Re quire ments Those who pur chase in for ma tion sys tems for cer tain kinds of ap pli ca tions—think, for ex am ple, about

na tional se cu rity agen cies where sen si tive in for ma tion may be ex tremely valu able (or dan ger ous in the wrong hands) or cen tral banks or se cu ri ties traders where cer tain data may be worth bil lions of dol lars—of ten want to un der stand their se cu rity strengths and weak nesses. Such buy ers are of ten will ing to con sider only sys tems that have been sub jected to for mal eval u a tion pro cesses in ad vance and have re ceived some kind of se cu rity rat ing. Buy ers want to know what they’re buy ing and, usu ally, what steps they must take to keep such sys tems as se cure as pos si ble.

When for mal eval u a tions are un der taken, sys tems are usu ally sub jected to a two-step process:

1. The sys tem is tested and a tech ni cal eval u a tion is per formed to make sure that the sys tem’s se cu rity ca pa bil i ties meet cri te ria laid out for its in tended use.

2. The sys tem is sub jected to a for mal com par i son of its de sign and se cu rity cri te ria and its ac tual ca pa bil i ties and per for mance, and in di vid u als re spon si ble for the se cu rity and ve rac ity of such sys tems must de cide whether to adopt them, re ject them, or make some changes to their cri te ria and try again.

Of ten trusted third par ties are hired to per form such eval u a tions; the most im por tant re sult from such test ing is their “seal of ap proval” that the sys tem meets all es sen tial cri te ria.

You should be aware that TC SEC was re pealed and re placed by the Com mon Cri te ria (as

well as many other DoD di rec tives). It is still in cluded here as a his tor i cal ref er ence and as an ex am ple of static-based as sess ment cri te ria to off set the ben e fits of dy namic (al though sub jec tive) as sess ment cri te ria. Keep in mind that the CISSP exam fo cuses on the “why” of se cu rity more than the “how”—in other words, it fo cuses on the con cepts and the o ries more than the tech nolo gies and im ple men ta tions. Thus, some of this his tor i cal in for ma tion could be present in ques tions on the exam.

Re gard less of whether the eval u a tions are con ducted in side an or ga ni za tion or out of house, the adopt ing or ga ni za tion must de cide to ac cept or re ject the pro posed sys tems. An or ga ni za tion’s man age ment must take

220

for mal re spon si bil ity if and when a sys tem is adopted and be will ing to ac cept any risks as so ci ated with its de ploy ment and use.

The three main prod uct eval u a tion mod els or clas si fi ca tion cri te ria mod els ad dressed here are TC SEC, In for ma tion Tech nol ogy Se cu rity Eval u a tion Cri te ria (IT SEC), and Com mon Cri te ria.

Rain bow Se ries Since the 1980s, gov ern ments, agen cies, in sti tu tions, and busi ness or ga ni za tions of all kinds have faced

the risks in volved in adopt ing and us ing in for ma tion sys tems. This led to a his tor i cal se ries of in for ma tion se cu rity stan dards that at tempted to spec ify min i mum ac cept able se cu rity cri te ria for var i ous cat e gories of use. Such cat e gories were im por tant as pur chasers at tempted to ob tain and de ploy sys tems that would pro tect and pre serve their con tents or that would meet var i ous man dated se cu rity re quire ments (such as those that con trac tors must rou tinely meet to con duct busi ness with the gov ern ment). The first such set of stan dards re sulted in the cre ation of the Trusted Com puter Sys tem Eval u a tion Cri te ria (TC SEC) in the 1980s, as the U.S. De part ment of De fense (DoD) worked to de velop and im pose se cu rity stan dards for the sys tems it pur chased and used. In turn, this led to a whole se ries of such pub li ca tions through the mid-1990s. Since these pub li ca tions were rou tinely iden ti fied by the color of their cov ers, they are known col lec tively as the rain bow se ries.

Fol low ing in the DoD’s foot steps, other gov ern ments or stan dards bod ies cre ated com puter se cu rity stan dards that built and im proved on the rain bow se ries el e ments. Sig nif i cant stan dards in this group in clude a Eu ro pean model called the In for ma tion Tech nol ogy Se cu rity Eval u a tion Cri te ria (IT SEC), which was de vel oped in 1990 and used through 1998. Even tu ally TC SEC and IT SEC were re placed with the so-called Com mon Cri te ria, adopted by the United States, Canada, France, Ger many, and the United King dom in 1998 but more for mally known as the “Ar range ment on the Recog ni tion of Com mon Cri te ria Cer tifi cates in the Field of IT Se cu rity.” Both IT SEC and the Com mon Cri te ria will be dis cussed in later sec tions.

When gov ern ments or other se cu rity-con scious agen cies eval u ate in for ma tion sys tems, they make use of var i ous stan dard eval u a tion cri te ria. In 1985, the Na tional Com puter Se cu rity Cen ter (NCSC) de vel oped the TC SEC, usu ally called the Or ange Book be cause of the color of this pub li ca tion’s cov ers. The TC SEC es tab lished guide lines to be used when eval u at ing a stand-alone com puter from the se cu rity per spec tive. These guide lines ad dress ba sic se cu rity func tion al ity and al low eval u a tors to mea sure and rate a sys tem’s func tion al ity and trust wor thi ness. In the TC SEC, in fact, func tion al ity and se cu rity as sur ance are com bined and not sep a rated as they are in se cu rity cri te ria de vel oped later. TC SEC guide lines were de signed to be used when eval u at ing ven dor prod ucts or by ven dors to en sure that they build all nec es sary func tion al ity and se cu rity as sur ance into new prod ucts. Keep in mind while you con tinue to read through the rest of this sec tion that the TC SEC was re placed by the Com mon Cri te ria in 2005 (which is dis cussed later in this chap ter).

Next, we’ll take a look at some of the de tails in the Or ange Book it self and then talk about some of the other im por tant el e ments in the rain bow se ries.

TC SEC Classes and Re quired Func tion al ity

TC SEC com bines the func tion al ity and as sur ance rat ing of the con fi den tial ity pro tec tion of fered by a sys tem into four ma jor cat e gories. These cat e gories are then sub di vided into ad di tional sub cat e gories iden ti fied with num bers, such as C1 and C2. Fur ther more, TC SEC’s cat e gories are as signed through the eval u a tion of a tar get sys tem. Ap pli ca ble sys tems are stand-alone sys tems that are not net worked. TC SEC de fines the fol low ing ma jor cat e gories:

Cat e gory A Ver i fied pro tec tion. The high est level of se cu rity.

Cat e gory B Manda tory pro tec tion.

Cat e gory C Dis cre tionary pro tec tion.

Cat e gory D Min i mal pro tec tion. Re served for sys tems that have been eval u ated but do not meet re quire ments to be long to any other cat e gory.

The list that fol lows in cludes brief dis cus sions of cat e gories A through C, along with nu meric suf fixes that rep re sent any ap pli ca ble sub cat e gories (Fig ure 8.6).

221

FIG URE 8.6 The lev els of TC SEC

Dis cre tionary Pro tec tion (Cat e gories C1, C2) Dis cre tionary pro tec tion sys tems pro vide ba sic ac cess con trol. Sys tems in this cat e gory do pro vide some se cu rity con trols but are lack ing in more so phis ti cated and strin gent con trols that ad dress spe cific needs for se cure sys tems. C1 and C2 sys tems pro vide ba sic con trols and com plete doc u men ta tion for sys tem in stal la tion and con fig u ra tion.

Dis cre tionary Se cu rity Pro tec tion (C1) A dis cre tionary se cu rity pro tec tion sys tem con trols ac cess by user IDs and/or groups. Al though there are some con trols in place that limit ob ject ac cess, sys tems in this cat e gory pro vide only weak pro tec tion.

Con trolled Ac cess Pro tec tion (C2) Con trolled ac cess pro tec tion sys tems are stronger than C1 sys tems. Users must be iden ti fied in di vid u ally to gain ac cess to ob jects. C2 sys tems must also en force me dia cleans ing. With me dia cleans ing, any me dia that are reused by an other user must first be thor oughly cleansed so that no rem nant of the pre vi ous data re mains avail able for in spec tion or use. Ad di tion ally, strict lo gon pro ce dures must be en forced that re strict ac cess for in valid or unau tho rized users.

Manda tory Pro tec tion (Cat e gories B1, B2, B3) Manda tory pro tec tion sys tems pro vide more se cu rity con trols than cat e gory C or D sys tems. More gran u lar ity of con trol is man dated, so se cu rity ad min is tra tors can ap ply spe cific con trols that al low only very lim ited sets of sub ject/ob ject ac cess. This cat e gory of sys tems is based on the Bell-La Padula model. Manda tory ac cess is based on se cu rity la bels.

La beled Se cu rity (B1) In a la beled se cu rity sys tem, each sub ject and each ob ject has a se cu rity la bel. A B1 sys tem grants ac cess by match ing up the sub ject and ob ject la bels and com par ing their per mis sion com pat i bil ity. B1 sys tems sup port suf fi cient se cu rity to house clas si fied data.

Struc tured Pro tec tion (B2) In ad di tion to the re quire ment for se cu rity la bels (as in B1 sys tems), B2 sys tems must en sure that no covert chan nels ex ist. Op er a tor and ad min is tra tor func tions are sep a rated, and process iso la tion is main tained. B2 sys tems are suf fi cient for clas si fied data that re quires more se cu rity func tion al ity than a B1 sys tem can de liver.

Se cu rity Do mains (B3) Se cu rity do main sys tems pro vide more se cure func tion al ity by fur ther in creas ing the sep a ra tion and iso la tion of un re lated pro cesses. Ad min is tra tion func tions are clearly de fined and sep a rate from func tions avail able to other users. The fo cus of B3 sys tems shifts to sim plic ity to re duce any ex po sure to vul ner a bil i ties in un used or ex tra code. The se cure state of B3 sys tems must also be ad dressed dur ing the ini tial boot process. B3 sys tems are dif fi cult to at tack suc cess fully and pro vide suf fi cient se cure con trols for very sen si tive or se cret data.

Ver i fied Pro tec tion (Cat e gory A1) Ver i fied pro tec tion sys tems are sim i lar to B3 sys tems in the struc ture and con trols they em ploy. The dif fer ence is in the de vel op ment cy cle. Each phase of the de vel op ment cy cle is con trolled us ing for mal meth ods. Each phase of the de sign is doc u mented, eval u ated, and ver i fied be fore the next step is taken. This forces ex treme se cu rity con scious ness dur ing all steps of de vel op ment and de ploy ment and is the only way to for mally guar an tee strong sys tem se cu rity.

222

A ver i fied de sign sys tem starts with a de sign doc u ment that states how the re sult ing sys tem will sat isfy the se cu rity pol icy. From there, each de vel op ment step is eval u ated in the con text of the se cu rity pol icy. Func tion al ity is cru cial, but as sur ance be comes more im por tant than in lower se cu rity cat e gories. A1 sys tems rep re sent the top level of se cu rity and are de signed to han dle top-se cret data. Ev ery step is doc u mented and ver i fied, from the de sign all the way through to de liv ery and in stal la tion.

Other Col ors in the Rain bow Se ries

Al to gether, there are nearly 30 ti tles in the col lec tion of DoD doc u ments that ei ther add to or fur ther elab o rate on the Or ange Book. Al though the col ors don’t nec es sar ily mean any thing, they’re used to iden tify pub li ca tions in this se ries.

It is im por tant to un der stand that most of the books in the rain bow se ries are now

out dated and have been re placed by up dated stan dards, guide lines, and di rec tives. How ever, they are still in cluded here for ref er ence to ad dress any exam items.

Other im por tant el e ments in this col lec tion of doc u ments in clude the fol low ing:

Red Book Be cause the Or ange Book ap plies only to stand-alone com put ers not at tached to a net work, and so many sys tems were used on net works (even in the 1980s), the Red Book was de vel oped to in ter pret the TC SEC in a net work ing con text. In fact, the of fi cial ti tle of the Red Book is Trusted Net work In ter pre ta tion of the TC SEC so it could be con sid ered an in ter pre ta tion of the Or ange Book with a bent on net work ing. Quickly the Red Book be came more rel e vant and im por tant to sys tem buy ers and builders than the Or ange Book. The fol low ing list in cludes a few other func tions of the Red Book:

Rates con fi den tial ity and in tegrity

Ad dresses com mu ni ca tions in tegrity

Ad dresses de nial of ser vice pro tec tion

Ad dresses com pro mise (in other words, in tru sion) pro tec tion and pre ven tion

Is re stricted to a lim ited class of net works that are la beled as “cen tral ized net works with a sin gle ac cred i ta tion au thor ity”

Uses only four rat ing lev els: None, C1 (Min i mum), C2 (Fair), and B2 (Good)

Green Book The Green Book, or the De part ment of De fense Pass word Man age ment Guide lines, pro vides pass word cre ation and man age ment guide lines; it’s im por tant for those who con fig ure and man age trusted sys tems.

Ta ble 8.2 has a more com plete list of books in the rain bow se ries. For more in for ma tion and to down load the books, see the Rain bow Se ries web pages here:

https://csrc.nist.gov/pub li ca tions/de tail/white-pa per/1985/12/26/ dod-rain bow-se ries/fi nal

https://fas.org/irp/nsa/rain bow.htm

223

TA BLE 8.2 Some of the rain bow se ries el e ments

Pub li ca tion num ber

Ti tle Book name

5200.28-STD DoD Trusted Com puter Sys tem Eval u a tion Cri te ria Or ange Book CSC-STD-002-85 DoD Pass word Man age ment Guide lines Green Book CSC-STD-003-85 Guid ance for Ap ply ing TC SEC in Spe cific En vi ron ments Yel low Book NCSC-TG-001 A Guide to Un der stand ing Au dit in Trusted Sys tems Tan Book NCSC-TG-002 Trusted Prod uct Eval u a tion: A Guide for Ven dors Bright Blue Book NCSC-TG-002-85 PC Se cu rity Con sid er a tions Light Blue Book NCSC-TG-003 A Guide to Un der stand ing Dis cre tionary Ac cess Con trols in Trusted

Sys tems Neon Or ange Book

NCSC-TG-004 Glos sary of Com puter Se cu rity Terms Aqua Book NCSC-TG-005 Trusted Net work In ter pre ta tion Red Book NCSC-TG-006 A Guide to Un der stand ing Con fig u ra tion Man age ment in Trusted

Sys tems Am ber Book

NCSC-TG-007 A Guide to Un der stand ing De sign Doc u men ta tion in Trusted Sys tems

Bur gundy Book

NCSC-TG-008 A Guide to Un der stand ing Trusted Dis tri bu tion in Trusted Sys tems Laven der Book NCSC-TG-009 Com puter Se cu rity Sub sys tem In ter pre ta tion of the TC SEC Venice Blue

Book

Given all the time and ef fort that went into for mu lat ing the TC SEC, it’s not un rea son able to won der why eval u a tion cri te ria have evolved to newer, more ad vanced stan dards. The re lent less march of time and tech nol ogy aside, these are the ma jor cri tiques of TC SEC; they help to ex plain why newer stan dards are now in use world wide:

Al though the TC SEC puts con sid er able em pha sis on con trol ling user ac cess to in for ma tion, it doesn’t ex er cise con trol over what users do with in for ma tion once ac cess is granted. This can be a prob lem in mil i tary and com mer cial ap pli ca tions alike.

Given the ori gins of eval u a tion stan dards at the U.S. De part ment of De fense, it’s un der stand able that the TC SEC fo cuses its con cerns en tirely on con fi den tial ity, which as sumes that con trol ling how users ac cess data is of pri mary im por tance and that con cerns about data ac cu racy or in tegrity are ir rel e vant. This doesn’t work in com mer cial en vi ron ments where con cerns about data ac cu racy and in tegrity can be more im por tant than con cerns about con fi den tial ity.

Out side the eval u a tion stan dards’ own em pha sis on ac cess con trols, the TC SEC does not care fully ad dress the kinds of per son nel, phys i cal, and pro ce dural pol icy mat ters or safe guards that must be ex er cised to fully im ple ment se cu rity pol icy. They don’t deal much with how such mat ters can im pact sys tem se cu rity ei ther.

The Or ange Book, per se, doesn’t deal with net work ing is sues (though the Red Book, de vel oped later in 1987, does).

To some ex tent, these crit i cisms re flect the unique se cu rity con cerns of the mil i tary, which de vel oped the TC SEC. Then, too, the pre vail ing com put ing tools and tech nolo gies widely avail able at the time (net work ing was just get ting started in 1985) had an im pact as well. Cer tainly, an in creas ingly so phis ti cated and holis tic view of se cu rity within or ga ni za tions helps to ex plain why and where the TC SEC also fell short, pro ce du rally and pol icy-wise. But be cause IT SEC has been largely su per seded by the Com mon Cri te ria, cov er age in the next sec tion ex plains IT SEC as a step along the way to ward the Com mon Cri te ria (cov ered in the sec tion af ter that).

IT SEC Classes and Re quired As sur ance and Func tion al ity The IT SEC rep re sents an ini tial at tempt to cre ate se cu rity eval u a tion cri te ria in Eu rope. It was de vel oped

as an al ter na tive to the TC SEC guide lines. The IT SEC guide lines eval u ate the func tion al ity and as sur ance of a sys tem us ing sep a rate rat ings for each cat e gory. In this con text, a sys tem’s func tion al ity is a mea sure ment of the sys tem’s util ity value for users. The func tion al ity rat ing of a sys tem states how well the sys tem per forms all nec es sary func tions based on its de sign and in tended pur pose. The as sur ance rat ing rep re sents the de gree of con fi dence that the sys tem will work prop erly in a con sis tent man ner.

IT SEC refers to any sys tem be ing eval u ated as a tar get of eval u a tion (TOE). All rat ings are ex pressed as TOE rat ings in two cat e gories. IT SEC uses two scales to rate func tion al ity and as sur ance.

224

The func tion al ity of a sys tem is rated from F-D through F-B3 (there is no F-A1). The as sur ance of a sys tem is rated from E0 through E6. Most IT SEC rat ings gen er ally cor re spond with TC SEC rat ings (for ex am ple, a TC SEC C1 sys tem cor re sponds to an IT SEC F-C1, E1 sys tem). See Ta ble 8.4 (at the end of the sec tion “Struc ture of the Com mon Cri te ria”) for a com par i son of TC SEC, IT SEC, and Com mon Cri te ria rat ings.

There are some in stances where the F rat ings of IT SEC are de fined us ing F1 through F5

rather than reusing the la bels from TC SEC. These al ter nate la bels are F1 = F-C1, F2 = F-C2, F3 = F-B1, F4 = F-B2, and F5 = F-B3. There is no num bered F rat ing for F-D, but there are a few cases where F0 is used. This is a fairly ridicu lous la bel be cause if there are no func tions to rate, there is no need for a rat ing la bel.

Dif fer ences be tween TC SEC and IT SEC are many and var ied. The fol low ing are some of the most im por tant dif fer ences be tween the two stan dards:

Al though the TC SEC con cen trates al most ex clu sively on con fi den tial ity, IT SEC ad dresses con cerns about the loss of in tegrity and avail abil ity in ad di tion to con fi den tial ity, thereby cov er ing all three el e ments so im por tant to main tain ing com plete in for ma tion se cu rity.

IT SEC does not rely on the no tion of a TCB, and it doesn’t re quire that a sys tem’s se cu rity com po nents be iso lated within a TCB.

Un like TC SEC, which re quired any changed sys tems to be reeval u ated anew—be it for op er at ing sys tem up grades, patches, or fixes; ap pli ca tion up grades or changes; and so forth—IT SEC in cludes cov er age for main tain ing tar gets of eval u a tion af ter such changes oc cur with out re quir ing a new for mal eval u a tion.

For more in for ma tion on IT SEC (now largely sup planted by the Com mon Cri te ria, cov ered in the next sec tion), please see these sites:

https://www.bsi.bund.de/Shared Docs/Down loads/DE/BSI/Zer ti fizierung/IT Sicher heit skri te rien/it sec- en_pdf.pdf?__blob=pub li ca tion File

https://www.so gis.org/doc u ments/it sec/it sec-en.pdf

Or you can view the orig i nal IT SEC spec i fi ca tion here:

http://www.ssi.gouv.fr/up loads/2015/01/IT SEC-uk.pdf

Com mon Cri te ria The Com mon Cri te ria (CC) rep re sents a more or less global ef fort that in volves ev ery body who worked on

TC SEC and IT SEC as well as other global play ers. Ul ti mately, it re sults in the abil ity to pur chase CC-eval u ated prod ucts (where CC, of course, stands for Com mon Cri te ria). The Com mon Cri te ria de fines var i ous lev els of test ing and con fir ma tion of sys tems’ se cu rity ca pa bil i ties, and the num ber of the level in di cates what kind of test ing and con fir ma tion has been per formed. Nev er the less, it’s wise to ob serve that even the high est CC rat ings do not equate to a guar an tee that such sys tems are com pletely se cure or that they are en tirely de void of vul ner a bil i ties or sus cep ti bil i ties to ex ploit. The Com mon Cri te ria was de signed as a prod uct eval u a tion model.

Recog ni tion of Com mon Cri te ria

Caveats and dis claimers aside, a doc u ment ti tled “Ar range ment on the Recog ni tion of Com mon Cri te ria Cer tifi cates in the Field of IT Se cu rity” was signed by rep re sen ta tives from gov ern ment or ga ni za tions in Canada, France, Ger many, the United King dom, and the United States in 1998, mak ing it an in ter na tional stan dard. This doc u ment was con verted by ISO into an of fi cial stan dard: ISO 15408, Eval u a tion Cri te ria for In for ma tion Tech nol ogy Se cu rity. The ob jec tives of the CC guide lines are as fol lows:

To add to buy ers’ con fi dence in the se cu rity of eval u ated, rated in for ma tion tech nol ogy (IT) prod ucts

To elim i nate du pli cate eval u a tions (among other things, this means that if one coun try, agency, or val i da tion or ga ni za tion fol lows the CC in rat ing spe cific sys tems and con fig u ra tions, oth ers else where need not re peat this work)

To keep mak ing se cu rity eval u a tions and the cer ti fi ca tion process more cost ef fec tive and ef fi cient

To make sure eval u a tions of IT prod ucts ad here to high and con sis tent stan dards

To pro mote eval u a tion and in crease avail abil ity of eval u ated, rated IT prod ucts

To eval u ate the func tion al ity (in other words, what the sys tem does) and as sur ance (in other words, how much can you trust the sys tem) of the TOE

225

Com mon Cri te ria doc u men ta tion is avail able at www.niap-ccevs.org/cc-scheme/. Visit this site to get in for ma tion on the cur rent ver sion of the CC guide lines and guid ance on us ing the CC along with lots of other use ful, rel e vant in for ma tion.

The Com mon Cri te ria process is based on two key el e ments: pro tec tion pro files and se cu rity tar gets. Pro tec tion pro files (PPs) spec ify for a prod uct that is to be eval u ated (the TOE) the se cu rity re quire ments and pro tec tions, which are con sid ered the se cu rity de sires or the “I want” from a cus tomer. Se cu rity tar gets (STs) spec ify the claims of se cu rity from the ven dor that are built into a TOE. STs are con sid ered the im ple mented se cu rity mea sures or the “I will pro vide” from the ven dor. In ad di tion to of fer ing se cu rity tar gets, ven dors may of fer pack ages of ad di tional se cu rity fea tures. A pack age is an in ter me di ate group ing of se cu rity re quire ment com po nents that can be added to or re moved from a TOE (like the op tion pack ages when pur chas ing a new ve hi cle).

The PP is com pared to var i ous STs from the se lected ven dor’s TOEs. The clos est or best match is what the client pur chases. The client ini tially se lects a ven dor based on pub lished or mar keted Eval u a tion As sur ance Lev els (EALs) (see the next sec tion for more de tails on EALs), for cur rently avail able sys tems. Us ing Com mon Cri te ria to choose a ven dor al lows clients to re quest ex actly what they need for se cu rity rather than hav ing to use static fixed se cu rity lev els. It also al lows ven dors more flex i bil ity on what they de sign and cre ate. A well- de fined set of Com mon Cri te ria sup ports sub jec tiv ity and ver sa til ity, and it au to mat i cally adapts to chang ing tech nol ogy and threat con di tions. Fur ther more, the EALs pro vide a method for com par ing ven dor sys tems that is more stan dard ized (like the old TC SEC).

Struc ture of the Com mon Cri te ria

The CC guide lines are di vided into three ar eas, as fol lows:

Part 1 In tro duc tion and Gen eral Model de scribes the gen eral con cepts and un der ly ing model used to eval u ate IT se cu rity and what’s in volved in spec i fy ing tar gets of eval u a tion. It con tains use ful in tro duc tory and ex plana tory ma te rial for those un fa mil iar with the work ings of the se cu rity eval u a tion process or who need help read ing and in ter pret ing eval u a tion re sults.

Part 2 Se cu rity Func tional Re quire ments de scribes var i ous func tional re quire ments in terms of se cu rity au dits, com mu ni ca tions se cu rity, cryp to graphic sup port for se cu rity, user data pro tec tion, iden ti fi ca tion and au then ti ca tion, se cu rity man age ment, TOE se cu rity func tions (TSFs), re source uti liza tion, sys tem ac cess, and trusted paths. Cov ers the com plete range of se cu rity func tions as en vi sioned in the CC eval u a tion process, with ad di tional ap pen dices (called an nexes) to ex plain each func tional area.

Part 3 Se cu rity As sur ance cov ers as sur ance re quire ments for TOEs in the ar eas of con fig u ra tion man age ment, de liv ery and op er a tion, de vel op ment, guid ance doc u ments, and life cy cle sup port plus as sur ance tests and vul ner a bil ity as sess ments. Cov ers the com plete range of se cu rity as sur ance checks and pro tects pro files as en vi sioned in the CC eval u a tion process, with in for ma tion on eval u a tion as sur ance lev els that de scribe how sys tems are de signed, checked, and tested.

Most im por tant of all, the in for ma tion that ap pears in these var i ous CC doc u ments (worth at least a cur sory read-through) are the eval u a tion as sur ance lev els com monly re ferred as EALs. Ta ble 8.3 sum ma rizes EALs 1 through 7. For a com plete de scrip tion of EALs, con sult the CC doc u ments hosted at https://www.niap- ccevs.org/ and view Part 3 of the lat est re vi sion.

226

TA BLE 8.3 CC eval u a tion as sur ance lev els

Level As sur ance level De scrip tion EAL1 Func tion ally tested Ap plies when some con fi dence in cor rect op er a tion is re quired but where threats

to se cu rity are not se ri ous. This is of value when in de pen dent as sur ance that due care has been ex er cised in pro tect ing per sonal in for ma tion is nec es sary.

EAL2 Struc turally tested Ap plies when de liv ery of de sign in for ma tion and test re sults are in keep ing with good com mer cial prac tices. This is of value when de vel op ers or users re quire low to mod er ate lev els of in de pen dently as sured se cu rity. IT is es pe cially rel e vant when eval u at ing legacy sys tems.

EAL3 Me thod i cally tested and checked

Ap plies when se cu rity en gi neer ing be gins at the de sign stage and is car ried through with out sub stan tial sub se quent al ter ation. This is of value when de vel op ers or users re quire a mod er ate level of in de pen dently as sured se cu rity, in clud ing thor ough in ves ti ga tion of TOE and its de vel op ment.

EAL4 Me thod i cally de signed, tested, and re viewed

Ap plies when rig or ous, pos i tive se cu rity en gi neer ing and good com mer cial de vel op ment prac tices are used. This does not re quire sub stan tial spe cial ist knowl edge, skills, or re sources. It in volves in de pen dent test ing of all TOE se cu rity func tions.

EAL5 Semi-for mally de signed and tested

Uses rig or ous se cu rity en gi neer ing and com mer cial de vel op ment prac tices, in clud ing spe cial ist se cu rity en gi neer ing tech niques, for semi-for mal test ing. This ap plies when de vel op ers or users re quire a high level of in de pen dently as sured se cu rity in a planned de vel op ment ap proach, fol lowed by rig or ous de vel op ment.

EAL6 Semi-for mally ver i fied, de signed, and tested

Uses di rect, rig or ous se cu rity en gi neer ing tech niques at all phases of de sign, de vel op ment, and test ing to pro duce a pre mium TOE. This ap plies when TOEs for high-risk sit u a tions are needed, where the value of pro tected as sets jus ti fies ad di tional cost. Ex ten sive test ing re duces risks of pen e tra tion, prob a bil ity of cover chan nels, and vul ner a bil ity to at tack.

EAL7 For mally ver i fied, de signed, and tested

Used only for high est-risk sit u a tions or where high-value as sets are in volved. This is lim ited to TOEs where tightly fo cused se cu rity func tion al ity is sub ject to ex ten sive for mal anal y sis and test ing.

Though the CC guide lines are flex i ble and ac com mo dat ing enough to cap ture most se cu rity needs and re quire ments, they are by no means per fect. As with other eval u a tion cri te ria, the CC guide lines do noth ing to make sure that how users act on data is also se cure. The CC guide lines also do not ad dress ad min is tra tive is sues out side the spe cific purview of se cu rity. As with other eval u a tion cri te ria, the CC guide lines do not in clude eval u a tion of se cu rity in situ—that is, they do not ad dress con trols re lated to per son nel, or ga ni za tional prac tices and pro ce dures, or phys i cal se cu rity. Like wise, con trols over elec tro mag netic emis sions are not ad dressed, nor are the cri te ria for rat ing the strength of cryp to graphic al go rithms ex plic itly laid out. Nev er the less, the CC guide lines rep re sent some of the best tech niques whereby sys tems may be rated for se cu rity. To con clude this dis cus sion of se cu rity eval u a tion stan dards, Ta ble 8.4 sum ma rizes how var i ous rat ings from the TC SEC, IT SEC, and the CC can be com pared. Ta ble 8.4 shows that rat ings from each stan dard have sim i lar, but not iden ti cal eval u a tion cri te ria.

TA BLE 8.4 Com par ing se cu rity eval u a tion stan dards

TC SEC IT SEC CC de scrip tion D F-D+E0 EAL0, EAL1 Min i mal/no pro tec tion C1 F-C1+E1 EAL2 Dis cre tionary se cu rity mech a nisms C2 F-C2+E2 EAL3 Con trolled ac cess pro tec tion B1 F-B1+E3 EAL4 La beled se cu rity pro tec tion B2 F-B2+E4 EAL5 Struc tured se cu rity pro tec tion B3 F-B3+E5 EAL6 Se cu rity do mains A1 F-B3+E6 EAL7 Ver i fied se cu rity de sign

In dus try and In ter na tional Se cu rity Im ple men ta tion Guide lines

In ad di tion to over all se cu rity ac cess mod els, such as Com mon Cri te ria, there are many other more spe cific or fo cused se cu rity stan dards for var i ous as pects of stor age, com mu ni ca tion, trans ac tions, and the like. Two of these stan dards you should be fa mil iar with are Pay ment Card In dus try Data Se cu rity Stan dard (PCI DSS) and In ter na tional Or ga ni za tion for Stan dard iza tion (ISO).

227

PCI DSS is a col lec tion of re quire ments for im prov ing the se cu rity of elec tronic pay ment trans ac tions. These stan dards were de fined by the PCI Se cu rity Stan dards Coun cil mem bers, who are pri mar ily credit card banks and fi nan cial in sti tu tions. The PCI DSS de fines re quire ments for se cu rity man age ment, poli cies, pro ce dures, net work ar chi tec ture, soft ware de sign, and other crit i cal pro tec tive mea sures. For more in for ma tion on PCI DSS, please visit the web site at www.pcise cu ri ty s tan dards.org.

ISO is a world wide stan dards-set ting group of rep re sen ta tives from var i ous na tional stan dards or ga ni za tions. ISO de fines stan dards for in dus trial and com mer cial equip ment, soft ware, pro to cols, and man age ment, among oth ers. It is sues six main prod ucts: In ter na tional Stan dards, Tech ni cal Re ports, Tech ni cal Spec i fi ca tions, Pub licly Avail able Spec i fi ca tions, Tech ni cal Cor ri genda, and Guides. ISO stan dards are widely ac cepted across many in dus tries and have even been adopted as re quire ments or laws by var i ous gov ern ments. For more in for ma tion on ISO, please visit the web site at www.iso.org.

Cer ti fi ca tion and Ac cred i ta tion Or ga ni za tions that re quire se cure sys tems need one or more meth ods to eval u ate how well a sys tem meets

their se cu rity re quire ments. The for mal eval u a tion process is di vided into two phases, called cer ti fi ca tion and ac cred i ta tion. The ac tual steps re quired in each phase de pend on the eval u a tion cri te ria an or ga ni za tion chooses. A CISSP can di date must un der stand the need for each phase and the cri te ria com monly used to eval u ate sys tems. The two eval u a tion phases are dis cussed in the next two sec tions, and then we present var i ous eval u a tion cri te ria and con sid er a tions you must ad dress when as sess ing the se cu rity of a sys tem. Cer ti fi ca tion and ac cred i ta tion pro cesses are used to as sess the ef fec tive ness of ap pli ca tion se cu rity as well as op er at ing sys tem and hard ware se cu rity.

The process of eval u a tion pro vides a way to as sess how well a sys tem mea sures up to a de sired level of se cu rity. Be cause each sys tem’s se cu rity level de pends on many fac tors, all of them must be taken into ac count dur ing the eval u a tion. Even though a sys tem is ini tially de scribed as se cure, the in stal la tion process, phys i cal en vi ron ment, and gen eral con fig u ra tion de tails all con trib ute to its true gen eral se cu rity. Two iden ti cal sys tems could be as sessed at dif fer ent lev els of se cu rity be cause of con fig u ra tion or in stal la tion dif fer ences.

The terms cer ti fi ca tion, ac cred i ta tion, and main te nance as used in the fol low ing sec tions

are of fi cial terms used by the de fense es tab lish ment, and you should be fa mil iar with them.

Cer ti fi ca tion and ac cred i ta tion are ad di tional steps in the soft ware and IT sys tems de vel op ment process nor mally re quired from de fense con trac tors and oth ers work ing in a mil i tary en vi ron ment. The of fi cial def i ni tions of these terms as used by the U.S. gov ern ment are from De part ment of De fense In struc tion 5200.40, En clo sure 2.

Cer ti fi ca tion

The first phase in a to tal eval u a tion process is cer ti fi ca tion. Cer ti fi ca tion is the com pre hen sive eval u a tion of the tech ni cal and non tech ni cal se cu rity fea tures of an IT sys tem and other safe guards made in sup port of the ac cred i ta tion process to es tab lish the ex tent to which a par tic u lar de sign and im ple men ta tion meets a set of spec i fied se cu rity re quire ments.

Sys tem cer ti fi ca tion is the tech ni cal eval u a tion of each part of a com puter sys tem to as sess its con cor dance with se cu rity stan dards. First, you must choose eval u a tion cri te ria (we will present cri te ria al ter na tives in later sec tions). Once you se lect cri te ria to use, you an a lyze each sys tem com po nent to de ter mine whether it sat is fies the de sired se cu rity goals. The cer ti fi ca tion anal y sis in cludes test ing the sys tem’s hard ware, soft ware, and con fig u ra tion. All con trols are eval u ated dur ing this phase, in clud ing ad min is tra tive, tech ni cal, and phys i cal con trols.

Af ter you as sess the en tire sys tem, you can eval u ate the re sults to de ter mine the se cu rity level the sys tem sup ports in its cur rent en vi ron ment. The en vi ron ment of a sys tem is a crit i cal part of the cer ti fi ca tion anal y sis, so a sys tem can be more or less se cure de pend ing on its sur round ings. The man ner in which you con nect a se cure sys tem to a net work can change its se cu rity stand ing. Like wise, the phys i cal se cu rity sur round ing a sys tem can af fect the over all se cu rity rat ing. You must con sider all fac tors when cer ti fy ing a sys tem.

You com plete the cer ti fi ca tion phase when you have eval u ated all fac tors and de ter mined the level of se cu rity for the sys tem. Re mem ber that the cer ti fi ca tion is valid only for a sys tem in a spe cific en vi ron ment and con fig u ra tion. Any changes could in val i date the cer ti fi ca tion. Once you have cer ti fied a se cu rity rat ing for a spe cific con fig u ra tion, you are ready to seek ac cep tance of the sys tem. Man age ment ac cepts the cer ti fied se cu rity con fig u ra tion of a sys tem through the ac cred i ta tion process.

Ac cred i ta tion

In the cer ti fi ca tion phase, you test and doc u ment the se cu rity ca pa bil i ties of a sys tem in a spe cific con fig u ra tion. With this in for ma tion in hand, the man age ment of an or ga ni za tion com pares the ca pa bil i ties of

228

a sys tem to the needs of the or ga ni za tion. It is im per a tive that the se cu rity pol icy clearly states the re quire ments of a se cu rity sys tem. Man age ment re views the cer ti fi ca tion in for ma tion and de cides whether the sys tem sat is fies the se cu rity needs of the or ga ni za tion. If man age ment de cides the cer ti fi ca tion of the sys tem sat is fies their needs, the sys tem is ac cred ited. Ac cred i ta tion is the for mal dec la ra tion by the des ig nated ap prov ing au thor ity (DAA) that an IT sys tem is ap proved to op er ate in a par tic u lar se cu rity mode us ing a pre scribed set of safe guards at an ac cept able level of risk. Once ac cred i ta tion is per formed, man age ment can for mally ac cept the ad e quacy of the over all se cu rity per for mance of an eval u ated sys tem.

Cer ti fi ca tion and ac cred i ta tion do seem sim i lar, and thus it is of ten a chal lenge to

un der stand them. One per spec tive you might con sider is that cer ti fi ca tion is of ten an in ter nal ver i fi ca tion of se cu rity and the re sults of that ver i fi ca tion are trusted only by your or ga ni za tion. Ac cred i ta tion is of ten per formed by a third-party test ing ser vice, and the re sults are trusted by ev ery one in the world who trusts the spe cific test ing group in volved.

The process of cer ti fi ca tion and ac cred i ta tion is of ten it er a tive. In the ac cred i ta tion phase, it is not un com mon to re quest changes to the con fig u ra tion or ad di tional con trols to ad dress se cu rity con cerns. Re mem ber that when ever you change the con fig u ra tion, you must re cer tify the new con fig u ra tion. Like wise, you need to re cer tify the sys tem when a spe cific time pe riod elapses or when you make any con fig u ra tion changes. Your se cu rity pol icy should spec ify what con di tions re quire re cer ti fi ca tion. A sound pol icy would list the amount of time a cer ti fi ca tion is valid along with any changes that would re quire you to restart the cer ti fi ca tion and ac cred i ta tion process.

Cer ti fi ca tion and Ac cred i ta tion Sys tems

Two gov ern ment stan dards are cur rently in place for the cer ti fi ca tion and ac cred i ta tion of com put ing sys tems. The cur rent DoD stan dard is Risk Man age ment Frame work (RMF) (http://www.esd.whs.mil/Por tals/54/Doc u ments/DD/is suances/dodi/855101p.pdf), which re cently re placed DoD In for ma tion As sur ance Cer ti fi ca tion and Ac cred i ta tion Process (DI A CAP), which it self re placed the De fense In for ma tion Tech nol ogy Se cu rity Cer ti fi ca tion and Ac cred i ta tion Process (DITSCAP). The stan dard for all other U.S. gov ern ment ex ec u tive branch de part ments, agen cies, and their con trac tors and con sul tants is the Com mit tee on Na tional Se cu rity Sys tems (CNSS) Pol icy (CNSSP) (https://www.cnss .gov/CNSS/is suances/Poli cies.cfm; scroll down to the CNSSP 22 link), which re placed Na tional In for ma tion As sur ance Cer ti fi ca tion and Ac cred i ta tion Process (NI A CAP). How ever, the CISSP may re fer to ei ther the cur rent stan dards or the pre vi ous ones. Both of these pro cesses are di vided into four phases:

Phase 1: Def i ni tion In volves the as sign ment of ap pro pri ate project per son nel; doc u men ta tion of the mis sion need; and reg is tra tion, ne go ti a tion, and cre ation of a Sys tem Se cu rity Au tho riza tion Agree ment (SSAA) that guides the en tire cer ti fi ca tion and ac cred i ta tion process

Phase 2: Ver i fi ca tion In cludes re fine ment of the SSAA, sys tems de vel op ment ac tiv i ties, and a cer ti fi ca tion anal y sis

Phase 3: Val i da tion In cludes fur ther re fine ment of the SSAA, cer ti fi ca tion eval u a tion of the in te grated sys tem, de vel op ment of a rec om men da tion to the DAA, and the DAA’s ac cred i ta tion de ci sion

Phase 4: Post Ac cred i ta tion In cludes main te nance of the SSAA, sys tem op er a tion, change man age ment, and com pli ance val i da tion

The NI A CAP process, ad min is tered by the In for ma tion Sys tems Se cu rity Or ga ni za tion of the Na tional Se cu rity Agency, out lines three types of ac cred i ta tion that may be granted. The def i ni tions of these types of ac cred i ta tion (from Na tional Se cu rity Telecom mu ni ca tions and In for ma tion Sys tems Se cu rity In struc tion 1000) are as fol lows:

For a sys tem ac cred i ta tion, a ma jor ap pli ca tion or gen eral sup port sys tem is eval u ated.

For a site ac cred i ta tion, the ap pli ca tions and sys tems at a spe cific, self-con tained lo ca tion are eval u ated.

For a type ac cred i ta tion, an ap pli ca tion or sys tem that is dis trib uted to a num ber of dif fer ent lo ca tions is eval u ated.

Un der stand Se cu rity Ca pa bil i ties of In for ma tion Sys tems The se cu rity ca pa bil i ties of in for ma tion sys tems in clude mem ory pro tec tion, vir tu al iza tion, Trusted

Plat form Mod ule (TPM), in ter faces, and fault tol er ance. It is im por tant to care fully as sess each as pect of the in fra struc ture to en sure that it suf fi ciently sup ports se cu rity. With out an un der stand ing of the se cu rity ca pa bil i ties of in for ma tion sys tems, it is im pos si ble to eval u ate them, nor is it pos si ble to im ple ment them prop erly.

229

Mem ory Pro tec tion Mem ory pro tec tion is a core se cu rity com po nent that must be de signed and im ple mented into an

op er at ing sys tem. It must be en forced re gard less of the pro grams ex e cut ing in the sys tem. Oth er wise in sta bil ity, vi o la tion of in tegrity, de nial of ser vice, and dis clo sure are likely re sults. Mem ory pro tec tion is used to pre vent an ac tive process from in ter act ing with an area of mem ory that was not specif i cally as signed or al lo cated to it.

Mem ory pro tec tion is dis cussed through out Chap ter 9 in re la tion to the top ics of iso la tion, vir tual mem ory, seg men ta tion, mem ory man age ment, and pro tec tion rings.

Melt down and Spec tre

In late 2017, two sig nif i cant mem ory er rors were dis cov ered. These is sues were given the names Melt down and Spec tre. These prob lems arise from the meth ods used by mod ern CPUs to pre dict fu ture in struc tions to op ti mize per for mance. This can en able a pro ces sor to seemly make re li able pre dic tions about what code to re trieve or process even be fore re quested. How ever, when the spec u la tive ex e cu tion is wrong, the pro ce dure is not com pletely re versed (i.e., not ev ery in cor rect pre dicted step is un done). This can re sult in some data rem nants be ing left be hind in mem ory in an un pro tected state.

Melt down is an ex ploita tion that can al low for the read ing of pri vate ker nel mem ory con tents by a non priv i leged process. Spec tre can en able the whole sale theft of mem ory con tents from other run ning ap pli ca tions. An as tound ingly wide range of pro ces sors are vul ner a ble to one or both of these ex ploits. While two dif fer ent is sues, they were dis cov ered nearly con cur rently and made pub lic at the same time. By the time of the pub li ca tion of this book, patches are likely to be avail able to ad dress these is sues in ex ist ing hard ware, and fu ture pro ces sors should have na tive mech a nisms to pre vent such ex ploita tions.

For a thor ough dis cus sion of these con cerns, please lis ten to the Se cu rity Now pod cast or read the show notes of episodes #645, “The Spec u la tion Melt down”; #646, “In Spec tre”; and #648, “Post Spec tre?” at https://www.grc.com/se cu ri tynow.htm.

Vir tu al iza tion Vir tu al iza tion tech nol ogy is used to host one or more op er at ing sys tems within the mem ory of a sin gle

host com puter. This mech a nism al lows vir tu ally any OS to op er ate on any hard ware. It also al lows mul ti ple OSs to work si mul ta ne ously on the same hard ware. Com mon ex am ples in clude VMware Work sta tion Pro, VMware vSphere and vSphere Hy per vi sor, VMware Fu sion for Mac, Mi cro soft Hy per-V, Or a cle Vir tu al Box, XenServer, and Par al lels Desk top for Mac.

Vir tu al iza tion has sev eral ben e fits, such as be ing able to launch in di vid ual in stances of servers or ser vices as needed, real-time scal a bil ity, and be ing able to run the ex act OS ver sion needed for a spe cific ap pli ca tion. Vir tu al ized servers and ser vices are in dis tin guish able from tra di tional servers and ser vices from a user’s per spec tive. Ad di tion ally, re cov ery from dam aged, crashed, or cor rupted vir tual sys tems is of ten quick, sim ply con sist ing of re plac ing the vir tual sys tem’s main hard drive file with a clean backup ver sion and then re launch ing it. (Ad di tional cov er age of vir tu al iza tion and some of its as so ci ated risks are cov ered in Chap ter 9 along with cloud com put ing.)

Trusted Plat form Mod ule The Trusted Plat form Mod ule (TPM) is both a spec i fi ca tion for a cryp to pro ces sor chip on a main board

and the gen eral name for im ple men ta tion of the spec i fi ca tion. A TPM chip is used to store and process cryp to graphic keys for the pur poses of a hard ware sup ported/im ple mented hard drive en cryp tion sys tem. Gen er ally, a hard ware im ple men ta tion, rather than a soft ware-only im ple men ta tion of hard drive en cryp tion, is con sid ered to be more se cure.

When TPM-based whole-disk en cryp tion is in use, the user/op er a tor must sup ply a pass word or phys i cal Uni ver sal Se rial Bus (USB) to ken de vice to the com puter to au then ti cate and al low the TPM chip to re lease the hard drive en cryp tion keys into mem ory. While this seems sim i lar to a soft ware im ple men ta tion, the key dif fer ence is that if the hard drive is re moved from its orig i nal sys tem, it can not be de crypted. Only with the orig i nal TPM chip can an en cryp tion be de crypted and ac cessed. With soft ware-only hard drive en cryp tion, the hard drive can be moved to a dif fer ent com puter with out any ac cess or use lim i ta tions.

A hard ware se cu rity mod ule (HSM) is a cryp to pro ces sor used to man age/store dig i tal en cryp tion keys, ac cel er ate crypto op er a tions, sup port faster dig i tal sig na tures, and im prove au then ti ca tion. An HSM is of ten an add-on adapter or pe riph eral or can be a Trans mis sion Con trol Pro to col/In ter net Pro to col (TCP/IP) net work de vice. HSMs in clude tam per pro tec tion to pre vent their mis use even if phys i cal ac cess is gained by an at tacker. A TPM is just one ex am ple of an HSM.

230

HSMs pro vide an ac cel er ated so lu tion for large (2,048+ bit) asym met ric en cryp tion cal cu la tions and a se cure vault for key stor age. Many cer tifi cate au thor ity sys tems use HSMs to store cer tifi cates; ATM and POS bank ter mi nals of ten em ploy pro pri etary HSMs; hard ware SSL ac cel er a tors can in clude HSM sup port; and Do main Name Sys tem Se cu rity Ex ten sions (DNSSEC)–com pli ant Do main Name Sys tem (DNS) servers use HSM for key and zone file stor age.

In ter faces A con strained or re stricted in ter face is im ple mented within an ap pli ca tion to re strict what users can do or

see based on their priv i leges. Users with full priv i leges have ac cess to all the ca pa bil i ties of the ap pli ca tion. Users with re stricted priv i leges have lim ited ac cess.

Ap pli ca tions con strain the in ter face us ing dif fer ent meth ods. A com mon method is to hide the ca pa bil ity if the user doesn’t have per mis sions to use it. Com mands might be avail able to ad min is tra tors via a menu or by right-click ing an item, but if a reg u lar user doesn’t have per mis sions, the com mand does not ap pear. Other times, the com mand is shown but is dimmed or dis abled. The reg u lar user can see it but will not be able to use it.

The pur pose of a con strained in ter face is to limit or re strict the ac tions of both au tho rized and unau tho rized users. The use of such an in ter face is a prac ti cal im ple men ta tion of the Clark-Wil son model of se cu rity.

Fault Tol er ance

Fault tol er ance is the abil ity of a sys tem to suf fer a fault but con tinue to op er ate. Fault tol er ance is achieved by adding re dun dant com po nents such as ad di tional disks within a re dun dant ar ray of in ex pen sive disks (RAID) ar ray, or ad di tional servers within a failover clus tered con fig u ra tion. Fault tol er ance is an es sen tial el e ment of se cu rity de sign. It is also con sid ered part of avoid ing sin gle points of fail ure and the im ple men ta tion of re dun dancy. For more de tails on fault tol er ance, re dun dant servers, RAID, and failover so lu tions, see Chap ter 18, “Dis as ter Re cov ery Plan ning.”

Sum mary Se cure sys tems are not just as sem bled; they are de signed to sup port se cu rity. Sys tems that must be se cure

are judged for their abil ity to sup port and en force the se cu rity pol icy. This process of eval u at ing the ef fec tive ness of a com puter sys tem is cer ti fi ca tion. The cer ti fi ca tion process is the tech ni cal eval u a tion of a sys tem’s abil ity to meet its de sign goals. Once a sys tem has sat is fac to rily passed the tech ni cal eval u a tion, the man age ment of an or ga ni za tion be gins the for mal ac cep tance of the sys tem. The for mal ac cep tance process is ac cred i ta tion.

The en tire cer ti fi ca tion and ac cred i ta tion process de pends on stan dard eval u a tion cri te ria. Sev eral cri te ria ex ist for eval u at ing com puter se cu rity sys tems. The ear li est, TC SEC, was de vel oped by the U.S. De part ment of De fense. TC SEC, also called the Or ange Book, pro vides cri te ria to eval u ate the func tion al ity and as sur ance of a sys tem’s se cu rity com po nents. IT SEC is an al ter na tive to the TC SEC guide lines and is used more of ten in Eu ro pean coun tries. In 2005, TC SEC was re placed by the Com mon Cri te ria. Re gard less of which cri te ria you use, the eval u a tion process in cludes re view ing each se cu rity con trol for com pli ance with the se cu rity pol icy. The bet ter a sys tem en forces the good be hav ior of sub jects’ ac cess to ob jects, the higher the se cu rity rat ing.

When se cu rity sys tems are de signed, it is of ten help ful to cre ate a se cu rity model to rep re sent the meth ods the sys tem will use to im ple ment the se cu rity pol icy. We dis cussed sev eral se cu rity mod els in this chap ter. The Bell-La Padula model sup ports data con fi den tial ity only. It was de signed for the mil i tary and sat is fies mil i tary con cerns. The Biba model and the Clark-Wil son model ad dress the in tegrity of data and do so in dif fer ent ways. These mod els are of ten used as part of the foun da tion when de sign ing se cu rity in fra struc ture for com mer cial ap pli ca tions.

All of this un der stand ing must cul mi nate into an ef fec tive sys tem se cu rity im ple men ta tion in terms of pre ven tive, de tec tive, and cor rec tive con trols. That’s why you must also know the ac cess con trol mod els and their func tions. This in cludes the state ma chine model, Bell-La Padula, Biba, Clark-Wil son, the in for ma tion flow model, the non in ter fer ence model, the Take-Grant model, the ac cess con trol ma trix model, and the Brewer and Nash model.

Exam Es sen tials Know de tails about each of the ac cess con trol mod els. Know the ac cess con trol mod els and their

func tions. The state ma chine model en sures that all in stances of sub jects ac cess ing ob jects are se cure. The in for ma tion flow model is de signed to pre vent unau tho rized, in se cure, or re stricted in for ma tion flow. The non in ter fer ence model pre vents the ac tions of one sub ject from af fect ing the sys tem state or ac tions of an other sub ject. The Take-Grant model dic tates how rights can be passed from one sub ject to an other or from

231

a sub ject to an ob ject. An ac cess con trol ma trix is a ta ble of sub jects and ob jects that in di cates the ac tions or func tions that each sub ject can per form on each ob ject. Bell-La Padula sub jects have a clear ance level that al lows them to ac cess only those ob jects with the cor re spond ing clas si fi ca tion lev els. This en forces con fi den tial ity. Biba pre vents sub jects with lower se cu rity lev els from writ ing to ob jects at higher se cu rity lev els. Clark-Wil son is an in tegrity model that re lies on au dit ing to en sure that unau tho rized sub jects can not ac cess ob jects and that au tho rized users ac cess ob jects prop erly. Biba and Clark-Wil son en force in tegrity. Goguen-Meseguer and Suther land fo cus on in tegrity. Gra ham-Den ning fo cuses on the se cure cre ation and dele tion of both sub jects and ob jects.

Know the def i ni tions of cer ti fi ca tion and ac cred i ta tion. Cer ti fi ca tion is the tech ni cal eval u a tion of each part of a com puter sys tem to as sess its con cor dance with se cu rity stan dards. Ac cred i ta tion is the process of for mal ac cep tance of a cer ti fied con fig u ra tion from a des ig nated au thor ity.

Be able to de scribe open and closed sys tems. Open sys tems are de signed us ing in dus try stan dards and are usu ally easy to in te grate with other open sys tems. Closed sys tems are gen er ally pro pri etary hard ware and/or soft ware. Their spec i fi ca tions are not nor mally pub lished, and they are usu ally harder to in te grate with other sys tems.

Know what con fine ment, bounds, and iso la tion are. Con fine ment re stricts a process to read ing from and writ ing to cer tain mem ory lo ca tions. Bounds are the lim its of mem ory a process can not ex ceed when read ing or writ ing. Iso la tion is the mode a process runs in when it is con fined through the use of mem ory bounds.

Be able to de fine ob ject and sub ject in terms of ac cess. The sub ject is the user or process that makes a re quest to ac cess a re source. The ob ject is the re source a user or process wants to ac cess.

Know how se cu rity con trols work and what they do. Se cu rity con trols use ac cess rules to limit the ac cess by a sub ject to an ob ject.

Be able to list the classes of TC SEC, IT SEC, and the Com mon Cri te ria. The classes of TC SEC in clude ver i fied pro tec tion, manda tory pro tec tion, dis cre tionary pro tec tion, and min i mal pro tec tion. Ta ble 8.4 cov ers and com pares equiv a lent and ap pli ca ble rank ings for TC SEC, IT SEC, and the CC (re mem ber that func tion al ity rat ings from F7 to F10 in IT SEC have no cor re spond ing rat ings in TC SEC).

De fine a trusted com put ing base (TCB). A TCB is the com bi na tion of hard ware, soft ware, and con trols that form a trusted base that en forces the se cu rity pol icy.

Be able to ex plain what a se cu rity perime ter is. A se cu rity perime ter is the imag i nary bound ary that sep a rates the TCB from the rest of the sys tem. TCB com po nents com mu ni cate with non-TCB com po nents us ing trusted paths.

Know what the ref er ence mon i tor and the se cu rity ker nel are. The ref er ence mon i tor is the log i cal part of the TCB that con firms whether a sub ject has the right to use a re source prior to grant ing ac cess. The se cu rity ker nel is the col lec tion of the TCB com po nents that im ple ment the func tion al ity of the ref er ence mon i tor.

Un der stand the se cu rity ca pa bil i ties of in for ma tion sys tems. Com mon se cu rity ca pa bil i ties in clude mem ory pro tec tion, vir tu al iza tion, and Trusted Plat form Mod ule (TPM).

Writ ten Lab

1. Name at least seven se cu rity mod els.

2. De scribe the pri mary com po nents of TCB.

3. What are the two pri mary rules or prin ci ples of the Bell-La Padula se cu rity model? Also, what are the two rules of Biba?

4. What is the dif fer ence be tween open and closed sys tems and open and closed source?